Plaid CTO here. This is not accurate. On 1. We do not (and have never) sell data to third parties. On 2. We have been a proponent of open authentication standards like OAuth and App2App and today, a majority of our bank connections run via bank APIs - in fact, as Zach pointed out, we’ve helped many financial institutions move towards OAuth. We don’t want to handle credentials in the long-term. However it will take years for a full transition to APIs to happen with more than 11k banks in the United States and we feel that it's important to support the tens of millions of Americans who bank at those institutions.
Considering everything, Zach and Plaid had to walk back all of your BS about Stripe stealing everything. Under the hood, Plaid lost to MX and Finicity with Stripe, and then accused Stripe of impropriety. Stripe isn't a moral leader in this world by any means. Plaid though? You are even worse because you act smug as an organization.
There were whistle blowers in 2018 who said Plaid did sell data and I am not sure anything came of it. Why collect more information than necessary in your screen scraping? Something is not adding up.
First, today a majority of all bank connections are on APIs or OAuth. This is mostly for the biggest banks in the U.S., but we also support some of the biggest platforms on top of which smaller banks & credit unions operate. We don’t want to be in the business of handling credentials in the long-term, for many of the reasons the author of the post pointed out. However, it will take years for this transition to happen with more than 11k banks in the United States. This is something we’ve been pushing for and we’ve worked closely with a lot of financial institutions to support OAuth and even App2App (which is a win not just for security, but also for convenience).
Second, the author focuses on what we call payment authentication (verifying account and routing information), but Plaid is used to power a lot of other use cases across fintech: lending, financial management, identity verification, brokerage, neo banking, etc. So although micro-deposits support verifying payment authentication, they do not support any of these other use cases.
Every day there are tens of millions of people who were not served by the traditional financial system who get access to better financial services because of Plaid. And that would not be possible without what we do.
Third, there are a few insinuations in this thread that we sell user data. We do not: the data goes from you to the app you authorize, through Plaid. We do provide some enhancements to the data for that app – e.g., fraud protection, transaction categorization, normalization of data (which is different for each financial institution).
(I can’t speak much to the lawsuit settlement for obvious legal reasons.)
Fourth, I do appreciate keeping companies honest about security practices. We invest a lot in security and privacy, and look forward to the day a post like this cannot be written because every bank is on OAuth. In the meantime, though, we’re actually the ones pushing for this – OAuth would not be happening at any banks if it weren’t for Plaid (there were companies that did what Plaid did for nearly a decade before we started and made zero progress in improving the technological foundation on top of which financial services are built). You may not believe in the current experience, but we view it as a key and necessary part to transitioning to better financial services and infrastructure for everyone.
CTO or not, that which is described here is nothing but predatory, and if you think there is anything ethical about it, or that the ends justified the means, you're not looking far enough down the road.
You have violated so many long standing regulations, that I am struck dead at my own ability to put myself in shoes that would be able to converge on justifying and managing that business unit knowing what I was doing.
You do not embrace deceptive practices.
You do not usurp and defraud users by accessing their data in excess of what you immediately need to do just what you told them you'd be doing.
You do not commit crimes and hide them long enough, counting on getting "too big to be held to account for it".
You traded your integrity the moment you signed on and okayed that without resistance. You betrayed an implicit mandate to do fair and non-deceptive business in every jurisdiction in the United States. Maybe you're surrounded by people who aren't grounded enough to call a spade a spade, but consider yourself notified by someone who is.
Ya done goofed. Willfully or not I don't have the evidence to support, but ya did. It is my personal hope that Plaid's settlement is rejected, because people deserve to have the character of this group brought into the light of day. Whether Plaid comes out squeaky clean, or the rest of the industry gets indicted for their refusal to integrate, necessitating the measure, I don't care. People need to know though.
What is detailed in the impending settlement is not at all acceptable.
You can use the Plaid Portal (https://my.plaid.com) to view what types of data are being shared, to revoke access (to both the apps and Plaid) and delete data stored in Plaid’s systems. You can also put a data deletion request through support.
I have tried to login to this site, registered my phone number, and it says it can't find any accounts of mine. yet I know YNAB uses plaid as its backend, and has links to my banks, credit card companies, and even my mortgage.
Is this a bug, or are those of use that use certain 3rd parties not able to see our data?
Would love to help with this. YNAB hasn't always been a Plaid customer, so it might have been a historical connection -- either way, please contact our support team to help you figure this out ASAP https://my.plaid.com/help
As someone who has overseen our consumer privacy team over the past few years building out products like Plaid Link and Plaid Portal, I can attest this is a foremost priority for the company. FWIIW, I don’t agree with the allegations, and you can read our POV on this blog post.
Based on this, and the blog post, they clearly take issue with the term ‘sold’. Making the users data accessible via api to customers who’ve paid for access to said data does not constitute ‘being sold’, as far as their lawyers are concerned. The fact that 98 million users disagree is unfortunate...
The product was sold as infrastructure, and used as data collection, and 98 million users were not aware of that.
If you’re unable to reconcile why users of square cash would be confused when they hear their data is accessible through some service called ‘plaid’ for which they’ve never signed up, or given their data, then maybe you could start with defining terms as they would, rather than how you’d prefer they sound.
Having data in a database doesn’t make it yours, it’s the users. It was when it was in their bank, it is when you move it to your service and it remains when you provide it to someone else.
I replied in a few other threads on this. We don't make the user's data accessible via API outside of the app the user connected. Your personal data is not sold or rented or given away or bartered to parties that are not Plaid, your bank, or the connected app.
We talk about all of this in our privacy policy, including ways that data could be used — for example, with data processors/service providers (like AWS which hosts our services) for the purposes of running Plaid’s services or for a user’s connected app to provide their services.
Thank you for the response — I know you're likely very restricted in what you can say here, but:
You just settled a claim that you sold customer transaction histories, and from the article linked, the plaintiffs' lawyers claim that you have agreed to implement meaningful business practice changes to remediate these issues.
(1) If you've never sold transaction histories, why settle a lawsuit alleging that you sold transaction histories?
(2) What meaningful business practice changes could you be making if there's no issue to begin with?
(I'm relying on the article here as a source of truth).
You’re right that I can’t write much (legal, PR team say hello).
The bottom line point is, we don’t sell data and that’s not the main allegation. The main allegation is that people didn’t understand that we were part of the flow of connecting banks to apps. We disagree.
Before 2017, there was a whitelabel experience of Plaid that didn’t say “Plaid”, didn’t have the Plaid logo, etc. We still stand by our belief that our disclosures at the time were more than adequate. But it’s not something we want to have protracted litigation around.
The reality is that our experience today is vastly different (and has been for a while). As for “what meaningful business practice changes could you be making if there's no issue to begin with.” Like most companies, we’re always making improvements to our experience -- today we have a consent pane that makes our role clear, a portal for people to manage their data, etc.
> Plaid would retain access to their credentials and use them to mine, aggregate and then sell users’ financial transaction data to third parties (including to the fintech apps that use its services) for purposes unrelated to the plaintiffs’ use of the fintech payment apps. [1]
This is allegedly from the lawsuit. I can see your perspective — that it made sense to settle because of the privacy accusation, but you still deny the other accusations. I understand that perspective, though as I'm sure you can understand, it's hard to know for sure based on the allegations and the settlement.
Pre-2017 Plaid was awesome. You were able to just feed in a username and password of a bank account you collected with your own UI and it would spit out its transactions.
IANAL and have no affiliations to Plaid. My takeaway from the article and [0] is that Plaid violated privacy laws because they provided insufficient disclosure with respect to the collected data, not that they are selling data to third parties.
(IANAL either) I understand and agree that part of the issue is that they, allegedly, underhandedly collected this data. My question is focused around the potential selling of that data, which took place according to the lawsuit and was likely the reason to collect the data.
From the article you linked:
> Plaid would retain access to their credentials and use them to mine, aggregate and then sell users’ financial transaction data to third parties (including to the fintech apps that use its services) for purposes unrelated to the plaintiffs’ use of the fintech payment apps.
> My question is focused around the potential selling of that data, which took place according to the lawsuit and was likely the reason to collect the data.
They would kind of have to be idiots to do so, to be quite frank.
Up until like a year ago, their baseline product was $500 / mo plus $x / user after 100 users (iirc) with a 12 month contract.
Plaid has basically no competition, is worth billions and was almost acquired if not for an anti-trust suit.
I am not sure how Plaid or its founders would benefit financially by betraying the trust of their customers and their customers' customers by getting a few cents per record out of it.
> Plaid would retain access to their credentials and use them to mine, aggregate and then sell users’ financial transaction data to third parties (including to the fintech apps that use its services) for purposes unrelated to the plaintiffs’ use of the fintech payment apps.
People's hatred / mistrust of Plaid stems for a misunderstanding of what Plaid is.
Yes, Plaid does """sell""" that information... to the app that you willfully gave permission to, information like cash flow, debt, types of debt, etc.
Oh, also, if people are so terrified of Plaid, they should write to the Congresspeople and ask them to write a bill to force banks to write & provide REST APIs. The lack of banking APIs is the only reason Plaid exists and has to resort to scraping or storing banking information.
> Oh, also, if people are so terrified of Plaid, they should write to the Congresspeople and ask them to write a bill to force banks to write & provide REST APIs.
Why REST? Yes, I’d certainly rather call rest APIs than, say SOAP APIs, but do really want Congress specifying that much technical detail?
I haven't used Plaid and I haven't read the litigation, but it seems the following scenario may have happened:
1) Users use Plaid to buy/sell with a variety of vendors and banks
2) Vendors and banks were aware that specific users were buying /selling because they were buying/selling their products
3) Users consented to #2 because they were buying/selling their products
4) Plaid provided aggregated reports that said "5% of your customers also shopped on Amazon"
I don't have the time to read and research exactly what happened. I see you settled for a large sum. Thus, I don't believe you. We've all been burned by companies that claim one thing and do the exact opposite. It doesn't matter if legally they are stating things accurately. What matters is how we, a mere human, would believe the plain English phrases used to be construed.
Hope you have success and I have no ill will towards you.
Did you pull all transactions on plaid auth requests? Did you store that data to build out your risk score product? You’re standard customer(one verifying their account for an ACH pull) more than likely didn’t know all their transactions were being stored and mined. They just wanted to fund their robinhood account. That is the issue.
Not to be nit-picky, but is that data(or derivatives of the data) gifted, given, bartered for, or otherwise sent to parties that are not (plaid, user bank, connected app)?
Neither here nor there, but I just used Plaid for the first time yesterday to pay for the downpayment on my Tesla. It was a really nice, seamless experience.
No, your personal data is not sold or rented or given away or bartered to parties that are not Plaid, your bank, or the connected app. We talk about all of this in our privacy policy, including ways that data could be used — for example, with data processors/service providers (like AWS which hosts our services) for the purposes of running Plaid’s services or for a user’s connected app to provide their services.
I worked at Plaid from when it was less than 50 people to when it was a little over 100. There was no selling of data going on when I was there in any form (anonymized, aggregated, or otherwise). More generally, it doesn't make sense for Plaid to sell data. They already make a huge amount of money on the API. Why jeopardize that? In terms of the settlement size, it actually seems like peanuts to me in comparison to the size of Plaid and the number of affected people. I mean it basically translates into 60 cents a person. This seems more like a payoff to the class action lawyers, enough to make it worth their while but basically nothing for their "clients."
That's just not at all true. If you've ever worked in / around law you'd understand how it's less about right and wrong and more about risk management. Non guilty parties settle all the time. (I have no idea if that is true in this case or not) but simply the idea that they settled for $$$ amount means they're guilty is just false.
As an engineer that's had to advise corporate legal on how to look at various things I can assure you that most of it is just risk mitigation and reward. From lawsuits to contracts, it's all the same stuff. That's just how legal people think. I don't think it goes any deeper than that.
How much did they settle for? I don't see that in the article. Just because they were sued for $58M doesn't mean that the settlement amount was anywhere near that!
A legal settlement over a lawsuit is the epitome of "if legally they are stating things accurately", how can you possibly conclude that their settlement relates to how you, a mere human, believe the English phrases to be constructed. One explanation is dismissed because it touches on supposedly irrelevant legal details yet your belief is based entirely on another legal detail. It sounds like you've made up your mind already regardless of what the "plain English" circumstances could be.
This really sounds like you're just doubling down without really responding to anything directly. You say you disagree with the allegations - why do you disagree with them? I understand you probably can't speak to this for legal reasons, but this vague rebuttal is worse than saying nothing at all. It just sounds like typical corporate PR, which makes me automatically assume you're lying.
I don't know the details of this case so I have no strong opinions, but this response makes me trust you less, not more.
I’m guessing this is the relevant section stating that summarized anonymized data is shared.
We may collect, use, and share End User Information in an aggregated, de-identified, or anonymized manner (that does not identify you personally) for any purpose permitted under applicable law. This includes creating or using aggregated, de-identified, or anonymized data based on the collected information to develop new services and to facilitate research.
We do not sell or rent personal information that we collect.
I'm betting you are right. It may be that they sold aggregated data, and that they aggregated based on factors that might have been too granular in some situations.
Perhaps something like "all users who are in the UK and logged in last Sunday morning". Something like that could have been a pain to sess out for each instance of data sharing, in addition, if you "settle in court", you can also set court-approved definitions of what "anonymously aggregated" means.
Facebook claimed repeatedly that they had never sold user data, and it turns out this was true: Instead, they had bartered user data for increased access or other privileges elsewhere.
I'd like to hear a broader statement on the specific phrasing in this article: « the fintech firm passed on personal banking data to third party firms without user consent ».
No, your personal data is not sold or rented or given away or bartered to parties that are not Plaid, your bank, or the connected app. We talk about all of this in our privacy policy, including ways that data could be used — for example, with data processors/service providers (like AWS which hosts our services) for the purposes of running Plaid’s services or for a user’s connected app to provide their services.
I see a lot of suspicion in thread below, which I very much understand.
I'd like to take a minute though to express my frustration with the banks that refuse to supply any sort of limited APIs. How is it 2021 and I still can't give my tax person read only access to a specific year of transactions? Plaid and others trust issue would be so much easier if the banks had any sort of control over sharing aside from none or authorized to do anything.
I don't understand something. Please, help me understand:
"According to the lawsuit, filed Thursday in California federal court, the plaintiffs alleged that Plaid has “exploited its position as middleman” to obtain app users’ banking login credentials and use that information to gain access to and sell their transaction histories. Allegedly, these actions occurred without users knowing about Plaid’s role is a variance of “deceptive tactics.”"
So, the lawsuit is for selling the transaction histories and you say you never did it.
Why do you settle for $58M if you never did it rather than go to court so that they present proofs that, according to your explanation, must be false?
I am not convinced.
Or, the simpler explanation you just lie here to us because you can. But you settle to not go to court because you know you can't lie yourself out of loosing.
While I have you here, as a developer of a financial product myself and wanting to use something to let my users connect their bank accounts to my product via plaid, let me tell you sir that your pricing strategy sucks. There is no way for a developer to pay for plaid use on per user basis and your service cannot be used without having to pay like minimum $500 to you every month even if I have like 10 users. So basically your pricing is hostile towards startups.
Sorry you got hit by that! I work at Plaid -- most of Plaid's APIs can be used without a $500 monthly minimum contract but a few of them do require it -- we know this is a pain point and are currently looking into how can make pricing on these products friendlier to small developers.
Hi TruthWillHurt, are you in the UK? Looking at that list, that looks like what's required for a UK developer -- the environment in the UK is very regulated and quite different than the U.S.
Can you send me an email: jgreze plaid.com -- I'll see what I can do to help. For the vast majority of cases onboarding should be self-serve until you hit a certain level of scale, so I'd love to understand what's happening here and what we can do better.
That is absolutely not true. only thing that's self-registration is development access which is limited to 100 customer connections. Going to production requires submitting a ticket which is picked up a person that transmits requirements from compliance team.
You should be able to to put traffic through via the development environment without that, but you're right that to go to full production you would need to answer some compliance questions, but it should not take months. I understand your frustration if it's taking that long.
You have my email, and if you reach out I can see what I can do to help. Best.
