Back when I worked at a FinTech company there was a push to use Plaid to dramatically simplify parts of our process. I couldn't get over how terrifying this service was though. Honestly, it was a part of what made me quit that job.
There were alternative ideas like the EU's Open Banking initiative (IIRC) we could have tried to look at, but nothing was anywhere near implemented. Nothing is forcing the banks in the US (where I worked) to implement anything like this. I'm not even sure it's working in the EU yet?
Anyway, this brings back nightmares. Glad I haven't been plagued with plaid since then... yet. knocks on wood
It's called PSD2 and it applies EU-wide since September 2019. Banks have to make _some_ form of API available to third parties. However, these third parties must meet certain criteria and get a license in one of the member states. This makes sense since they can access financial data, and they only have to do it once. So a fintech licensed in e.g. Belgium can access the APIs of a bank in France and vice versa. Since banks already have most of the necessary rules and paperwork in place, I've seen many banks themselves become PSD2 clients as well, offering customers the ability to manage "foreign" bank accounts through their app as well.
Banks tend to have terrible UX. A lot of that, is because they are so security-conscious that they can't move quickly or nimbly. I have known several developers that worked for banks, and their stories of their work environments have made banks a "No-How, No-Way," for me.
They did get paid well, though.
A lot of the Jurassic-scale security debacles that we read about, these days, seem to be of the "Why the HELL didn't anyone think this through?" variety.
Looks to me like impulsive "Ooh! Shiny!" programming.
All of this sounds really familiar. Isn't this exactly what Facebook used to do ~15 years ago with their "friends collector"?
I remember that at one time, Facebook had a big screen where you could enter your credentials for a variety of email providers. Facebook would then login with your credentials via IMAP, scrape all email addresses in your mailbox and match them with Facebook contacts. (Note that this was an official feature back then).
Apparently people were perfectly fine with giving Facebook all their contacts and also the full credentials to their mailbox.
Who wasn't fine with it though were the mail providers - which in the end led to the creation of OAuth, I believe.
> Facebook had a big screen where you could enter your credentials for a variety of email providers
Are people just making up wild conspiracy theories about Facebook now? They read your contacts but I’m virtually certain they never released any kind of email scanner like you described. I searched for this and came up with nothing.
EDIT: if I’m wrong please show me a source and I’ll happily retract this statement.
EDIT 2: I was wrong. See e1g’s comment below that displays this functionality.
Ok, then I have to backpedal. I indeed can't say for sure that they also scraped emails. Sorry for that.
However, they did collect your address book - that was an openly advertised feature.
My point that Facebook already back then was asking people for passwords for third-party services (not banks though) and apparently they were quite successful with it.
> Plaid wants to throw out all of those years of hard work and ask users to enter their freaking bank credentials into a third-party form.
I interviewed with them and was told the opposite of this. They want to use OAUTH or something akin. They don’t want to be in the business of handling actual passwords. I think for Chase they actually do use a form of OAUTH.
Of course, they could’ve been lying to my face but my impression was that they were being straightforward.
The banks need to provide a secure way to offer third-party access. I don’t see this as Plaid’s fault.
It isn't Plaid's fault. The majority of their traffic is oAuth. Chase for example is oAuth, as are most of the largest financial institutions now. That wasn't the case when Plaid launched and the other issue with screen scraping nobody has brought up (and the article conveniently leaves out) is it's easy to block scraping traffic. Without direct connections Plaid and all aggregators are completely at the mercy of bank systems that don't distinguish their legitimate business use case from spam.
> The status quo which Plaid aims to disrupt (ugh)
Agreed. The fetishization of disruption never sat right with me. Why not express the point in terms of solving problems for customers, rather than in terms of ruining existing businesses?
I’m not sure what distinction you want. The status quo is that for site operators and end users, there is no sane way to standardize API access across US financial institutions. The thing Plaid is “disrupting” (notably, the article says disrupt, Plaid themselves don’t mention disrupting anything on their site) is this current gap. The problem they’re solving is “people want to interact with financial institutions in a standard, programmatic way, and Plaid enables that”
Plaid didn’t say they were disrupting anything. The article derisively says they’re “disrupting”, and then complains about that term. You also disagree with the term.
So nobody involved here was fetishizing “disruption”; the only people who mentioned it did so to snark about it.
> Fixing it would require banks to develop, deploy, and standardize on better technology, and, well, good luck with that.
There's OFX. (https://en.wikipedia.org/wiki/Open_Financial_Exchange) and "OFX Direct Connect". It's literally made for the same reason Plaid exists. Most banks even allow you to export a (likely broken) version of those files manually. Plaid may be terrible, but banks basically invited this situation and help it exist.
So I disagree with the required level of effort. They had decades to do this. They care so little that one of my banks provides exported files with repeated "unique" IDs and another with the minutes instead of the day of the month (mm/MM mistake). They need to do the very minimum of actually implementing an existing standard and doing basic testing on it.
The article describes how Plaid is designed to replace the micro deposit / verify flow used by many sites to validate that you own a checking account before they deposit/withdrawal to/from that account.
I’m sure this is a reasonably common flow, but it’s only a slice of what Plaid does. They additionally do transaction parsing/normalization across a wide variety of accounts. I’ve been using Plaid for years as part of my ledger-cli workflow, to automate importing of account transactions.
The security flow is horrible, but the security flow for banks was already horrible: the reason I trust banks with my money is because of strong ability to reverse malicious activity, and regulatory oversight, not because I trust their infosec practices.
Pre-Plaid, I had some local scraping tools to pull transactions, and ran into several instances where the “MFA” step for banks allowed my “browser” to pick its own unique identifier. If I set it to “hahalol”, that was fine, and as long as I kept sending that ID, I never had to MFA again.
If we somehow had a world where there was an actual standard way to fetch data from my banks, I’d love that. I’d switch immediately. But in the current world, Plaid is pretty far down my list of financial-service-related risks.
I’m sure they’d claim they sell metadata or aggregates or something. But even if they’re selling more than they claim, I’ve accepted that as OK for my personal financial threat model.
To say the obvious, other people’s risk/reward tradeoffs will be different, and I know plenty of people who’d never consider using Plaid. But I don’t think that makes them an “evil nightmare product from security hell”.
I understand going ahead and using it. I have in the past and then stopped.
But teaching people that it’s fine to enter their bank username and password on a not-their-bank website if somebody asks nicely is inarguable creating security hell in our society.
The entire financial industry is built upon a foundation of entering sensitive information all over the place.
Swipe cards gave merchants your credit card number. Checks still give the recipient and every intermediary your full account and routing number. When you pay at any website, you’re entering in your full credit card number.
Modern finance is a teetering stack of measures designed to account for this and handle cases where fraud or other malice occur.
Plaid does not sell any user data to third parties. It's entirely funded by developers that pay to use the data, and who are also prevented from selling or otherwise sharing data.
Your credentials also don't touch Plaid servers for the majority of traffic now; there are still legacy screen scraping extractors but Plaid can't exactly put a gun to a financial institution's head and force them to provide an API.
It's only been recently that Plaid got to a size that players like Capital One or Wells Fargo are forced to play nice and sign a data access agreement or tell their users why they can't use Venmo.
> the reason I trust banks with my money is because of strong ability to reverse malicious activity
Note that most banks will not reverse transactions made using your username & password. Plaid's security flow gets rid of the ability to reverse malicious activity.
I had the a similar response to being required to use Plaid in order to try Robinhood. And by "required" I mean that they said "this is required" and I declined to everything without looking back. My response did not have quite the level of eloquence and wisdom as the OP's:
"What the actual fuck!"
They actually asked for my private bank account information, that which is for me alone to know, that the bank explicitly told me not to share. It's a highly literal form of spilling my guts to share this, it's so so bad. Like literally I was talking to a psychiatrist at one point (I am open about having ADD, and treating it requires seeing a psychiatrist), and I mentioned a friend I didn't want to talk about. This doctor started to pry, but he couldn't get anywhere with his line of questioning. I just told him it was private and that's it. And then to illustrate my point I told him it was like he was asking for my bank account number. And he didn't drop it fast enough, it was pretty comical, for about a second this doctor was visibly curious about my bank account number.
Like if you ask people this it means you want to steal from them obviously, it is stealing. Plaid was caught stealing, but not explicitly, like they knew they'd be in shit up to their lower eyelid if the embezzled from their users, and that further it would destroy their industry, but I divine that they totally considered it in private. Not even saying it was brought up in a meeting, it's that touchy, but it's just too obvious they were putting themselves in a position to steal. That's not what their idealistic-sounding public-facing business plan is, like I won't have anything to do with them but I imagine it is about democratizing banking. In fact it is about democratizing each user's personal banking information.
And sure enough, this start-up scraped the data in the bank accounts and sold it. They got a great price for that, I can tell you that right now, data is most valuable when its collected nonconsensually. It tells them what people bought, at what exact time, where, with what means, basically how much they're willing to pay, and on top of that how much money they have in the bank, which allows the data buyers like car dealerships and hospitals to charge them 100% of what they're able to pay. That means you're left with nothing. If the hospital, boss, landlord, and salesman can see invade your privacy, you will be left with nothing. Literally means being forced to play poker with your hand revealed.
You are not plaids customers. They will be selling your transactions to everyone and anyone. It's pretty easy to identify people from their transactions.
I disagree. Yes, Plaid should be fined or even liquidated for selling their customers' data. Yes, their security approach is a nightmare. On the other hand, the choice of whom to let process your data should be yours and companies should not be able to limit that under CFAA or "for your safety" pretexts.
I think mandating API access for large consumer-facing apps is the way to go. Think of it as a "power of an attorney for all things digital". And banks are not "inflexible and slow on the uptake for new technology". In Europe the API integration only happened with the "help" of lawmakers: https://www.bloomberg.com/professional/blog/europes-new-api-...
Unfortunately the only current and sane way to allow users to aggregate their financial data seems to be by having users pull .csv files from all of their accounts (at least where I am, in Canada).
In Europe there is the PSD2 [1] standard that basically forces (since 2020) all banks to provide some form of API to access and control customer accounts. And since all banks already had to go thorugh the work of creating an API, some of them even make them completely publicly avaiable (which isn't strictly required by PSD2).
I once built a script to pull all transactions from my bank account to create a financial history in just one afternoon. No scraping or shady third-party services neeed.
It takes a while to get such regulations into effect, but I think this would be a much better alternative to services like Plaid.
While I agree on the security concerns, end users will most likely continue to use it as there’s no other current method for some of the functionality they provide. End users make these decisions all the time and if you think the average user is looking to see if their connection is TLS or even at the certificate I’d wager you’re very very wrong (2-3% at most would be my guess).
When given the choice between less security or more functionality end users will typically choose more functionality (how many users did the same with mint).
The breakdown imho is banks are slow to adopt new standards, not because they’re so concerned about security but because their infosec dept is small, other priorities or in a lot of cases the entire function is outsourced.
The article correctly points out that Plaid helps avoid the whole challenge deposit problem, which is a real source of issues in US banking.
What this misses, and what everyone forgets, is that Plaid didn't invent this concept of using bank logins to verify account ownership. As far as I know, this was Yodlee's innovation. But anyone who has used Yodlee will tell you their API was designed by people who hate software developers, so an opportunity existed for someone to help businesses do bank account validation using sensible APIs - e.g. Plaid.
Banks have known about Yodlee (and now Plaid) for years. Some approve of them, even making it easier for them to recognize account numbers for validation. Others do not approve of them, and in some cases the tools have to do crazy things like downloading bank statements and parsing account numbers out of PDFs. But the banks have no real choice but to tolerate the existence of these tools because there's no better system in the US.
Getting banks to work together on interoperability is a harder problem than tolerating a set of centralized and well known tools that use account logins for a well understood validation purpose. These tools have a job to do, everyone in the ecosystem understands what that is, and everyone puts up with it for lack of a better option.
First, today a majority of all bank connections are on APIs or OAuth. This is mostly for the biggest banks in the U.S., but we also support some of the biggest platforms on top of which smaller banks & credit unions operate. We don’t want to be in the business of handling credentials in the long-term, for many of the reasons the author of the post pointed out. However, it will take years for this transition to happen with more than 11k banks in the United States. This is something we’ve been pushing for and we’ve worked closely with a lot of financial institutions to support OAuth and even App2App (which is a win not just for security, but also for convenience).
Second, the author focuses on what we call payment authentication (verifying account and routing information), but Plaid is used to power a lot of other use cases across fintech: lending, financial management, identity verification, brokerage, neo banking, etc. So although micro-deposits support verifying payment authentication, they do not support any of these other use cases.
Every day there are tens of millions of people who were not served by the traditional financial system who get access to better financial services because of Plaid. And that would not be possible without what we do.
Third, there are a few insinuations in this thread that we sell user data. We do not: the data goes from you to the app you authorize, through Plaid. We do provide some enhancements to the data for that app – e.g., fraud protection, transaction categorization, normalization of data (which is different for each financial institution).
(I can’t speak much to the lawsuit settlement for obvious legal reasons.)
Fourth, I do appreciate keeping companies honest about security practices. We invest a lot in security and privacy, and look forward to the day a post like this cannot be written because every bank is on OAuth. In the meantime, though, we’re actually the ones pushing for this – OAuth would not be happening at any banks if it weren’t for Plaid (there were companies that did what Plaid did for nearly a decade before we started and made zero progress in improving the technological foundation on top of which financial services are built). You may not believe in the current experience, but we view it as a key and necessary part to transitioning to better financial services and infrastructure for everyone.
CTO or not, that which is described here is nothing but predatory, and if you think there is anything ethical about it, or that the ends justified the means, you're not looking far enough down the road.
You have violated so many long standing regulations, that I am struck dead at my own ability to put myself in shoes that would be able to converge on justifying and managing that business unit knowing what I was doing.
You do not embrace deceptive practices.
You do not usurp and defraud users by accessing their data in excess of what you immediately need to do just what you told them you'd be doing.
You do not commit crimes and hide them long enough, counting on getting "too big to be held to account for it".
You traded your integrity the moment you signed on and okayed that without resistance. You betrayed an implicit mandate to do fair and non-deceptive business in every jurisdiction in the United States. Maybe you're surrounded by people who aren't grounded enough to call a spade a spade, but consider yourself notified by someone who is.
Ya done goofed. Willfully or not I don't have the evidence to support, but ya did. It is my personal hope that Plaid's settlement is rejected, because people deserve to have the character of this group brought into the light of day. Whether Plaid comes out squeaky clean, or the rest of the industry gets indicted for their refusal to integrate, necessitating the measure, I don't care. People need to know though.
What is detailed in the impending settlement is not at all acceptable.
49 comments
[ 3.3 ms ] story [ 97.0 ms ] threadThere were alternative ideas like the EU's Open Banking initiative (IIRC) we could have tried to look at, but nothing was anywhere near implemented. Nothing is forcing the banks in the US (where I worked) to implement anything like this. I'm not even sure it's working in the EU yet?
Anyway, this brings back nightmares. Glad I haven't been plagued with plaid since then... yet. knocks on wood
It's called PSD2 and it applies EU-wide since September 2019. Banks have to make _some_ form of API available to third parties. However, these third parties must meet certain criteria and get a license in one of the member states. This makes sense since they can access financial data, and they only have to do it once. So a fintech licensed in e.g. Belgium can access the APIs of a bank in France and vice versa. Since banks already have most of the necessary rules and paperwork in place, I've seen many banks themselves become PSD2 clients as well, offering customers the ability to manage "foreign" bank accounts through their app as well.
They did get paid well, though.
A lot of the Jurassic-scale security debacles that we read about, these days, seem to be of the "Why the HELL didn't anyone think this through?" variety.
Looks to me like impulsive "Ooh! Shiny!" programming.
I remember that at one time, Facebook had a big screen where you could enter your credentials for a variety of email providers. Facebook would then login with your credentials via IMAP, scrape all email addresses in your mailbox and match them with Facebook contacts. (Note that this was an official feature back then).
Apparently people were perfectly fine with giving Facebook all their contacts and also the full credentials to their mailbox.
Who wasn't fine with it though were the mail providers - which in the end led to the creation of OAuth, I believe.
Are people just making up wild conspiracy theories about Facebook now? They read your contacts but I’m virtually certain they never released any kind of email scanner like you described. I searched for this and came up with nothing.
EDIT: if I’m wrong please show me a source and I’ll happily retract this statement.
EDIT 2: I was wrong. See e1g’s comment below that displays this functionality.
However, they did collect your address book - that was an openly advertised feature.
My point that Facebook already back then was asking people for passwords for third-party services (not banks though) and apparently they were quite successful with it.
I interviewed with them and was told the opposite of this. They want to use OAUTH or something akin. They don’t want to be in the business of handling actual passwords. I think for Chase they actually do use a form of OAUTH.
Of course, they could’ve been lying to my face but my impression was that they were being straightforward.
The banks need to provide a secure way to offer third-party access. I don’t see this as Plaid’s fault.
- Why?
- Otherwise I've got to do dirty and potentially dangerous things.
- Why?
- Because of my business model.
> The status quo which Plaid aims to disrupt (ugh)
Agreed. The fetishization of disruption never sat right with me. Why not express the point in terms of solving problems for customers, rather than in terms of ruining existing businesses?
Plaid didn’t say they were disrupting anything. The article derisively says they’re “disrupting”, and then complains about that term. You also disagree with the term.
So nobody involved here was fetishizing “disruption”; the only people who mentioned it did so to snark about it.
You presumably don't agree, or you wouldn't be dismissing it as snark.
> So nobody involved here was fetishizing “disruption”
Right, Drew mentioned it in passing. Hence It's a minor point and somewhat off topic.
There's OFX. (https://en.wikipedia.org/wiki/Open_Financial_Exchange) and "OFX Direct Connect". It's literally made for the same reason Plaid exists. Most banks even allow you to export a (likely broken) version of those files manually. Plaid may be terrible, but banks basically invited this situation and help it exist.
So I disagree with the required level of effort. They had decades to do this. They care so little that one of my banks provides exported files with repeated "unique" IDs and another with the minutes instead of the day of the month (mm/MM mistake). They need to do the very minimum of actually implementing an existing standard and doing basic testing on it.
I’m sure this is a reasonably common flow, but it’s only a slice of what Plaid does. They additionally do transaction parsing/normalization across a wide variety of accounts. I’ve been using Plaid for years as part of my ledger-cli workflow, to automate importing of account transactions.
The security flow is horrible, but the security flow for banks was already horrible: the reason I trust banks with my money is because of strong ability to reverse malicious activity, and regulatory oversight, not because I trust their infosec practices.
Pre-Plaid, I had some local scraping tools to pull transactions, and ran into several instances where the “MFA” step for banks allowed my “browser” to pick its own unique identifier. If I set it to “hahalol”, that was fine, and as long as I kept sending that ID, I never had to MFA again.
If we somehow had a world where there was an actual standard way to fetch data from my banks, I’d love that. I’d switch immediately. But in the current world, Plaid is pretty far down my list of financial-service-related risks.
To say the obvious, other people’s risk/reward tradeoffs will be different, and I know plenty of people who’d never consider using Plaid. But I don’t think that makes them an “evil nightmare product from security hell”.
But teaching people that it’s fine to enter their bank username and password on a not-their-bank website if somebody asks nicely is inarguable creating security hell in our society.
Swipe cards gave merchants your credit card number. Checks still give the recipient and every intermediary your full account and routing number. When you pay at any website, you’re entering in your full credit card number.
Modern finance is a teetering stack of measures designed to account for this and handle cases where fraud or other malice occur.
Your credentials also don't touch Plaid servers for the majority of traffic now; there are still legacy screen scraping extractors but Plaid can't exactly put a gun to a financial institution's head and force them to provide an API.
It's only been recently that Plaid got to a size that players like Capital One or Wells Fargo are forced to play nice and sign a data access agreement or tell their users why they can't use Venmo.
I'm curious why you would say that.
What flaws have you seen in currently banking systems?
Note that most banks will not reverse transactions made using your username & password. Plaid's security flow gets rid of the ability to reverse malicious activity.
"What the actual fuck!"
They actually asked for my private bank account information, that which is for me alone to know, that the bank explicitly told me not to share. It's a highly literal form of spilling my guts to share this, it's so so bad. Like literally I was talking to a psychiatrist at one point (I am open about having ADD, and treating it requires seeing a psychiatrist), and I mentioned a friend I didn't want to talk about. This doctor started to pry, but he couldn't get anywhere with his line of questioning. I just told him it was private and that's it. And then to illustrate my point I told him it was like he was asking for my bank account number. And he didn't drop it fast enough, it was pretty comical, for about a second this doctor was visibly curious about my bank account number.
Like if you ask people this it means you want to steal from them obviously, it is stealing. Plaid was caught stealing, but not explicitly, like they knew they'd be in shit up to their lower eyelid if the embezzled from their users, and that further it would destroy their industry, but I divine that they totally considered it in private. Not even saying it was brought up in a meeting, it's that touchy, but it's just too obvious they were putting themselves in a position to steal. That's not what their idealistic-sounding public-facing business plan is, like I won't have anything to do with them but I imagine it is about democratizing banking. In fact it is about democratizing each user's personal banking information.
And sure enough, this start-up scraped the data in the bank accounts and sold it. They got a great price for that, I can tell you that right now, data is most valuable when its collected nonconsensually. It tells them what people bought, at what exact time, where, with what means, basically how much they're willing to pay, and on top of that how much money they have in the bank, which allows the data buyers like car dealerships and hospitals to charge them 100% of what they're able to pay. That means you're left with nothing. If the hospital, boss, landlord, and salesman can see invade your privacy, you will be left with nothing. Literally means being forced to play poker with your hand revealed.
Bank robbers.
I think mandating API access for large consumer-facing apps is the way to go. Think of it as a "power of an attorney for all things digital". And banks are not "inflexible and slow on the uptake for new technology". In Europe the API integration only happened with the "help" of lawmakers: https://www.bloomberg.com/professional/blog/europes-new-api-...
Unfortunately the only current and sane way to allow users to aggregate their financial data seems to be by having users pull .csv files from all of their accounts (at least where I am, in Canada).
In Europe there is the PSD2 [1] standard that basically forces (since 2020) all banks to provide some form of API to access and control customer accounts. And since all banks already had to go thorugh the work of creating an API, some of them even make them completely publicly avaiable (which isn't strictly required by PSD2).
I once built a script to pull all transactions from my bank account to create a financial history in just one afternoon. No scraping or shady third-party services neeed.
It takes a while to get such regulations into effect, but I think this would be a much better alternative to services like Plaid.
[1] https://en.wikipedia.org/wiki/Payment_Services_Directive
Such a weird looking word, plaid. Pronounced as /plad/, but as written you want to pronounce it as /played/.
https://bleep.com/artist/27-plaid
What this misses, and what everyone forgets, is that Plaid didn't invent this concept of using bank logins to verify account ownership. As far as I know, this was Yodlee's innovation. But anyone who has used Yodlee will tell you their API was designed by people who hate software developers, so an opportunity existed for someone to help businesses do bank account validation using sensible APIs - e.g. Plaid.
Banks have known about Yodlee (and now Plaid) for years. Some approve of them, even making it easier for them to recognize account numbers for validation. Others do not approve of them, and in some cases the tools have to do crazy things like downloading bank statements and parsing account numbers out of PDFs. But the banks have no real choice but to tolerate the existence of these tools because there's no better system in the US.
Getting banks to work together on interoperability is a harder problem than tolerating a set of centralized and well known tools that use account logins for a well understood validation purpose. These tools have a job to do, everyone in the ecosystem understands what that is, and everyone puts up with it for lack of a better option.
First, today a majority of all bank connections are on APIs or OAuth. This is mostly for the biggest banks in the U.S., but we also support some of the biggest platforms on top of which smaller banks & credit unions operate. We don’t want to be in the business of handling credentials in the long-term, for many of the reasons the author of the post pointed out. However, it will take years for this transition to happen with more than 11k banks in the United States. This is something we’ve been pushing for and we’ve worked closely with a lot of financial institutions to support OAuth and even App2App (which is a win not just for security, but also for convenience).
Second, the author focuses on what we call payment authentication (verifying account and routing information), but Plaid is used to power a lot of other use cases across fintech: lending, financial management, identity verification, brokerage, neo banking, etc. So although micro-deposits support verifying payment authentication, they do not support any of these other use cases.
Every day there are tens of millions of people who were not served by the traditional financial system who get access to better financial services because of Plaid. And that would not be possible without what we do.
Third, there are a few insinuations in this thread that we sell user data. We do not: the data goes from you to the app you authorize, through Plaid. We do provide some enhancements to the data for that app – e.g., fraud protection, transaction categorization, normalization of data (which is different for each financial institution).
(I can’t speak much to the lawsuit settlement for obvious legal reasons.)
Fourth, I do appreciate keeping companies honest about security practices. We invest a lot in security and privacy, and look forward to the day a post like this cannot be written because every bank is on OAuth. In the meantime, though, we’re actually the ones pushing for this – OAuth would not be happening at any banks if it weren’t for Plaid (there were companies that did what Plaid did for nearly a decade before we started and made zero progress in improving the technological foundation on top of which financial services are built). You may not believe in the current experience, but we view it as a key and necessary part to transitioning to better financial services and infrastructure for everyone.
But no.
https://considertheconsumer.com/wp-content/uploads/2021/08/I...
CTO or not, that which is described here is nothing but predatory, and if you think there is anything ethical about it, or that the ends justified the means, you're not looking far enough down the road.
You have violated so many long standing regulations, that I am struck dead at my own ability to put myself in shoes that would be able to converge on justifying and managing that business unit knowing what I was doing.
You do not embrace deceptive practices. You do not usurp and defraud users by accessing their data in excess of what you immediately need to do just what you told them you'd be doing. You do not commit crimes and hide them long enough, counting on getting "too big to be held to account for it".
You traded your integrity the moment you signed on and okayed that without resistance. You betrayed an implicit mandate to do fair and non-deceptive business in every jurisdiction in the United States. Maybe you're surrounded by people who aren't grounded enough to call a spade a spade, but consider yourself notified by someone who is.
Ya done goofed. Willfully or not I don't have the evidence to support, but ya did. It is my personal hope that Plaid's settlement is rejected, because people deserve to have the character of this group brought into the light of day. Whether Plaid comes out squeaky clean, or the rest of the industry gets indicted for their refusal to integrate, necessitating the measure, I don't care. People need to know though.
What is detailed in the impending settlement is not at all acceptable.