I'm surprised, because Plaid is far from the first mover in the "scraped banking data API" space. Mint (now Intuit) and Yodlee come to mind, and they use essentially the same sign-in flow and come with the same limitations.
There are organizations and companies that are trying to do this legitimately, through open standards and real incentives to both FIs and customers to share information in exchanges:
You're right, they aren't the first. That said, when I use accounting software, it's pretty obvious to me that I am going to be sharing my transaction history with the accounting software. When I connect my bank account to Venmo, it is absolutely not obvious to me that I'm sharing my entire transaction history with Plaid. Replicating the appearance of my bank's login screens is critical to the illusion.
Even if I did understand that they are storing and using my credentials, I should be able to expect from a reputable business that they are not scraping irrelevant transaction data and then using it for purposes that don't explicitly support the app I am using. Selling my transaction history definitely isn't supporting the use case I'm authorizing.
Alternative title to this thread is "Plaid fails to sell customer data to Visa" (along with code, and the rest of the company). Consumers, as well as Plaid, have no idea where this data is going to end up ultimately, depending on who winds up getting control of Plaid. What are the odds of Private Equity acquiring Plaid and "leveraging synergies" with the pay-day loan company in their portfolio? I think the odds are greater than zero.
“We may collect, use, and share End User Information in an aggregated, de-identified, or anonymized manner (that does not identify you personally) for any purpose permitted under applicable law.”
If you authenticate with <mortgage broker> via Plaid, then the broker pays plaid money and the broker gets your bank information. So I suppose in a sense that's "selling your data," but I don't think that's what people are concerned about: You explicitly sign into the mortgage broker to give them data!
What Plaid has said on record they DON'T do is take that data they provided to the broker, bundle it up, and then sell it to marketing firms or hedge funds or other random third parties for which the user didn't explicitly ask their data to be shared.
“Plaid does not sell and has never sold consumers’ personal information or data. Consumer data is obtained and used with consumer consent. Plaid believes strongly that consumers should have permission-based access to and control over their financial data, and embodies these principles in its practices."
From the press release: "Plaid is a financial services company that operates the leading financial data aggregation platform in the United States"
I love the way they are literally defined as "the leading financial data aggregation platform in the United States", rather than "the leading financial integrations platform".
Seems like Justice does know their real business. And they don't seem to care.
> There are organizations and companies that are trying to do this legitimately, through open standards and real incentives to both FIs and customers to share information in exchanges:
That is never going to work. The reason the world works the way it works is because banks dont want to give easy access, so market opportunity for companies like Plaid exists.
Open Banking is the result of the EU PSD2, so unfortunately is no longer guaranteed in the UK. UK firms have already lost passporting rights, and it's yet unclear whether the UK will align with EU regulation going forward.
I guess the question is what you mean by "open banking". Initially, in the UK, that phrase referred to the FCA's implementation of the PSD2 requirement for banks to allow a secure mechanism of access to third parties. I think that this definition of open banking has already regressed post-Brexit, from the absence of passporting. UK firms and banks are no longer able to interoperate with EU firms and banks, and PSD2 no longer applies to them.
Another definition may be domestic API access to bank accounts, which I agree will continue to be policy in the UK. It won't be PSD2 open banking, though.
PSD2 still applies. That was integrated into U.K. law long before Brexit. It would take an act of parliament to unwind.
Additionally the U.K. has generally been on the leading edge of open banking, which is why our standards weren’t identical to the EUs for a while. It’s going nowhere, and pass-porting will make no difference.
The only real impact of Brexit is the open banking entities will need to register separately in the U.K. and the EU, and be subject to two different regulators. But that’s just paperwork for the most part.
> PSD2 still applies. That was integrated into U.K. law long before Brexit. It would take an act of parliament to unwind.
It's not that simple. The FCA is no longer an EEA National Competent Authority and UK Third Party Providers must register with an EEA NCA to continue to operate in the EEA. Domestic legislation which put PSD2 in force is of course still UK law, and domestic TPPs and Account Servicing Payment Service Providers can continue to operate together (even using the same eiDAS certs), but they cannot engage in open banking with the rest of the EU/EEA.
PSD2 and its supporting institutions (EBA, EPC, ECJ) no longer apply to the UK.
> Additionally the U.K. has generally been on the leading edge of open banking, which is why our standards weren’t identical to the EUs for a while. It’s going nowhere, and pass-porting will make no difference.
Internally, maybe, but UK TPPs and ASPSPs can no longer interoperate with EU/EEA TPPs and ASPSPs unless they register with an EU/EEA NCA, and thus become subject to EU Directives. Again it comes back to your definition of "open banking". If you mean only UK banks and firms being able to operate an open banking scheme, then you are correct that this will continue. If you mean open banking as defined by PSD2, it has already come to an end in the UK.
> The only real impact of Brexit is the open banking entities will need to register separately in the U.K. and the EU, and be subject to two different regulators. But that’s just paperwork for the most part.
So either UK TPPs and ASPSPs have to abide by EU Directives (if possible - the UK legislature may diverge from the EU in unreconcilable ways), or the UK has to maintain alignment with the EU indefinitely. Doesn't seem like just paperwork to me.
"Open banking" and "cross-border banking" are two different things. The UK will definitely continue to have open banking. The UK-EU banking relationship is still up for negotiation. (I'm not hopeful though.)
> The UK will definitely continue to have open banking.
As discussed elsewhere in this thread, this requires a definition of "open banking" which is separate from PSD2 and not what the phrase commonly meant until now. The distinction isn't between "open banking" and "cross-border banking" - the distinction is between:
* PSD2 compliant "open banking" between TPPs and ASPSPs,
* Some banks in the UK must have APIs "open banking".
Up until January 1st, the phrase "open banking" referred to the former. The latter may become accepted as the definition in the UK, but it is materially different to the original meaning.
It doesn't really work. Open Banking doesn't seem to enforce a consistent API which means you either need to implement a client for each bank (and their data model) individually or use something like Plaid (in the UK our equivalent is TrueLayer) to aggregate all the different banks into a single API.
This is just not true, for Open Banking in the UK. API standards are published and banks must implement them.
There was a get-out, but it was a bad one for the banks - if any bank did not provide a compliant API by a specific date (IIRC sometime last year) then they would have to keep their web sites entirely unaltered in order to support scraping.
There are organizations and companies that are trying to do this legitimately, through open standards and real incentives to both FIs and customers to share information in exchanges:
- Open Banking Project: https://www.openbankproject.com/
- MX: https://www.mx.com/
P.S. Can we get real Markdown support already? The fact that the Markdown URL format isn't supported is extremely user-hostile.