| ▲ | hypeatei 7 hours ago |
| Have you ever entered your routing+account number into HR software for direct deposit? Doesn't that qualify as handing a third party essentially the same access as Plaid gets? I think bank accounts are generally more accessible in the modern era, it's just a risk that you take. Of course, you're not obligated to use Plaid but I do find the concerns around this quite strange since you're likely exposing account information already. |
|
| ▲ | whycombinetor 7 hours ago | parent | next [-] |
| Plaid wants you to enter your bank username-password into their form. If it was just routing+account it would be truly no different than other bank connection methods. |
| |
| ▲ | formerly_proven 6 hours ago | parent [-] | | Plaid works a lot like PSD2-based services in the EU then, which also typically consist of a form hosted by the service using Times New Roman and the original padlock.gif from Netscape asking for your IBAN and online banking password and then a TAN/2FA number. Obviously there are no technical controls at that point to what the service can do in your account. I tend to avoid anything PSD2 for much the same reasons as Plaid, it's extremely sketchy. Somehow we can have scoped access using OAuth for random webservices but for a credit check it's "please just give us your online banking login despite everyone telling you since 1995 that you're not supposed to hand that to anyone and always double check the URL in the address bar to be yourbank.com... we assure you nl-gwlogin.xs2a.openbankingservices.co.net is an entirely legitimate place to enter your PIN" | | |
| ▲ | lxgr 5 hours ago | parent [-] | | At this point, it's often OAuth, but in my view, the exact means of access is a red herring: The only thing that changes between screen scraping and OAuth is that Plaid doesn't get my banking password, which is literally the least of my concern compared to persistent access to my account transactional data. |
|
|
|
| ▲ | gavinsyancey 6 hours ago | parent | prev | next [-] |
| The same info is also on checks, and there's an established story around fraud there -- if I didn't authorize an ACH withdrawal then my bank is legally required to make me whole. If I hand over my username+password to a third party, I'm on my own. Also, the routing+account numbers just let them deposit/withdraw money, not snoop on all my transactions and harvest my data... |
| |
| ▲ | phoenixy1 5 hours ago | parent [-] | | This is a common belief, but the CFPB has stated your bank is still legally required to make you whole in the event of fraud even if you handed over your username and password to a third party, and that any bank TOS stating otherwise are not valid. This is covered on the CFPB Electronic Fund Transfers FAQ, under the Error Resolution: Unauthorized EFTs, Question 8: https://www.consumerfinance.gov/compliance/compliance-resour... | | |
| ▲ | lxgr 5 hours ago | parent [-] | | In Germany, there was a similar antitrust-based ruling, but it even went further: They disallowed banks to block screen scraping services, as they considered the existence of screen-scraping-based confirmed instant bank transfers a valuable competitor to the (bank-led) card payment schemes. In retrospect, they were maybe right on the competitive part, but the data privacy impact was disastrous. |
|
|
|
| ▲ | 6 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | redserk 7 hours ago | parent | prev | next [-] |
| With plaid they get access to all of your account numbers. HR just sees a single savings account that I strictly use for direct deposit. They don’t see my actual savings account or my other purpose-specific checking accounts. |
| |
| ▲ | hypeatei 6 hours ago | parent [-] | | Sure, but GP mentioned direct account egress which is why I brought up the typical method for doing that. I figured banks are already selling / reporting the other information (account types, amounts, transactions, etc.) As an aside, I think each permission has to be granted explicitly in Plaid so it's not just getting "root" access to do simple transactions (unless you grant it) |
|
|
| ▲ | buzer 6 hours ago | parent | prev | next [-] |
| Whenever I have seen the Plaid integration it will also ask permission to your transactions. HR software won't get those when I provide it my account & routing numbers. |
|
| ▲ | webo 7 hours ago | parent | prev | next [-] |
| routing+account numbers are not that sensitive. that's been API for how we transact money since pre-historic times.
plaid gets access to your online account with access personal data, security details, documents, transactions, statements, write-access etc. |
|
| ▲ | lxgr 6 hours ago | parent | prev | next [-] |
| It’s roughly the difference between giving somebody your phone number and letting them eavesdrop on every single call. |
|
| ▲ | liveoneggs 7 hours ago | parent | prev | next [-] |
| plaid asks for your bank username and password not just your routing + account |
|
| ▲ | lazide 6 hours ago | parent | prev [-] |
| Generally no. Plaid access generally includes whatever name you put on the account, as well as transaction history. |
