Hacker News new | past | comments | ask | show | jobs | submit login
Visa Buys Plaid (wsj.com)
538 points by coloneltcb on Jan 13, 2020 | hide | past | favorite | 319 comments



Looks like it's official: https://blog.plaid.com/plaid-and-visa/


Plaid is terrible! Both Wells Fargo and Bank of America support API integration, but Plaid chooses to screen-scrape and does not work if you have 2FA enabled. Also, you can't even manually enter your bank information. In other words, even if you pay dearly to Plaid, you may block many users who use some of the top banks in the States! There is a bunch of services I cannot use because they rely solely on Plaid, and I'm not willing to disable 2FA! Maybe being Visa, it will make the whole service more meaningful if Visa pushes banks to integrate, because it's 2020, and giving your password for your bank to a third party, when there are APIs and OAuth/OpenID protocols available for banks.


The way Plaid works, I'm surprised that they hadn't already been shut down for breaking banks' TOS. It exposes the banks to so much liability for a product that's not even theirs.


I dislike Plaid & similar systems but I disagree.

Enforcing stupid & unreasonable ToS in court is a slippery slope that can be used against users.

You want to use an alternative client to export your data because the official client doesn't allow it? ToS violation and the developer of the alternative client gets sued.

Want to screen-scrape some website to automate some tedious manual behaviour? ToS violation and you get sued.

Etc.

The ability to delegate some manual process (logging into online banking and getting the data) to a third-party (like Plaid) should be a right that we should defend.


Most manual processes, I agree, automate away. But not the ones that have negative implications for security. I don't care whether it's the TOS or some other means that's used to prevent pw sharing, but it should be prevented. It is the bank's duty to protect its users, not to tolerate services that actively discourage safe practices like 2fa.


In the EU, we're getting DSP2 [0] which requires banks to publish usable APIs to: get account information, and initiate money transfers. That's huge, though only at a baby stage for the moment.

[0] https://ec.europa.eu/commission/presscorner/detail/en/IP_15_...


This is a sham. You need to go through a certification process which costs $$$ before you can get access to those APIs even if the banking data is processed locally, which will only empower the incumbents while locking out open-source solutions and indie developers (remember that a lot of tools & products we use started as someone's side-project; this regulation locks those out by default).

At least with credential sharing & screen-scraping nobody can lock you out. Does it suck? Yeah. But I'd rather take a solution that sucks than no solution at all.


To me that depends on where the fraud risk lies.

In the UK banks (in an attempt to encourage online banking) have a fraud guarantee related to losses from unauthorised access to online banking systems as long as you haven't given your credentials to a 3rd party

Screen scraping, like plaid, obviously breaks that concept.

In that case it seems reasonable for the banks to have a ToS that says "no giving your credentials to third parties".

If there's no such guarantee and the user is on their own from a fraud loss perspective then I don't see a reason for enforcing that kind of ToS.

All that said, the idea of a transactional banking system being online with purely static credentials in 2020 is scary one. Decent 2FA should be used for any system that has a financial impact.


Some banks have tried, but Plaid has a great legal team and has argued with the move towards open banking in the EU that customers have a right to their data.

Will be interesting to see where this goes.


I’m excited to see Australian pushing through open banking APIs, reusing most of the UK/EU spec... but the implementation keeps getting pushed back and back and back. Mid 2020 now for initial roll out it sounds like... so for now I’ll stick with Basiq [0] as it’s Australian focused and free for my particular use case at least. Unless others have some other suggestions? I need to connect to ING Direct

[0] https://basiq.io


Worst is their suggestions to disable 2FA! I twitted to them about it, and they seem to have removed it after that!


Wells Fargo's 2FA uses SMS. Hardly worth enabling.


I don’t know why you’re being downvoted. Sms 2FA is not safe, full stop.


Sure, SMS-based 2FA is not nearly as secure as other forms of 2FA. But unless you're targeted, SMS-based 2FA still helps add a layer of security against other issues like password re-use. Of course none of us do that either, but for the general public, I'd rather support SMS-based 2FA across the board than nothing at all.


For the average Joe it's good enough, no one is SIM swapping Bob who works at Walmart


That's default, but you can buy an RSA hardware token.


Like this one [1]? Seems that it is not necessarily better than SMS.

[1] https://news.ycombinator.com/item?id=4156897


There is an actual, material difference between having no 2FA (guess passwords until you get in), SMS 2FA (have a human person call a phone provider and have the number switched), and token 2FA (given the physical device and a few hundred attempts, you're able to make another device that also authenticates). Saying you might as well not enable 2FA because a token cloning attack exists is ridiculous.


And it's not even an attack on the OTP token.


This is why I never wanted to use Mint, although maybe Mint is better about this now.

I've also seen online mortgage applications ask for banking and retirement account passwords for the purpose of automated form-filling. It seems very shortsighted to give away your password to save 5 minutes filling out a form.

The nightmare scenario is that you give your bank account password to one of these screen scraping services, someone manages to hack them and empties your account, and you can't get the money back because giving away your password violates the terms of service for your online banking.


Mint used to sync with Chase and Wells Fargo through sketchy scraping, but those banks have since then integrated with Mint over APIs. Mint then disabled syncing until customers reestablished the connection with the new, more secure, method (which I thought was a good move)


For a while they were using Yodlee for the backend (which did all sorts of weird stuff), but I think they rewrote it after Intuit bought them.


They definitely use Plaid or a similar service to scrape data. The few banks that offer APIs do have it.


I don't have issues with Mint. As somebody suggested, Intuit has the privilege of having a different level of access unlike Plaid - maybe due to the importance of QuickBooks to both individuals and businesses.


The cynical part of me is convinced that banks would want to secretly run and popularize this kind of service as honeypots for collecting passwords sharing violations as a future liability defense.


That’d probably risk a counter-suit for willful negligence.


In many cases, if the APIs are available _and support all the necessary features_, Plaid will work with the bank to use the APIs. Banks have chosen to withhold some info from the APIs that are available on the site, which prevents a full switchover. The other problem, of course, is the payment model: should Plaid pay banks for access to the data? Should banks have to make the APIs as fully featured as their site for external consumption?

Also worth noting that the largest of US banks do offer APIs, but a large swath of the rest do not, either due to proprietary systems, choosing not to use their processor-offered solutions, or simply avoiding risk.

So, Plaid will have to scrape for another few years, I suspect, until the banks catch up in the US to what we are seeing in UK and other places.


Not even close to true. We’re one of the larger clients with Plaid and that’s not on Plaid but the service provider to not provide a manual entry.

Plaid works great and we’ve ran into next to no issues with customers linking Plaid


It's actually pretty rare to not run into issues with Plaid.

It depends on your customers, too.

If you're targeting consumers, Plaid's integration works far better than if you're targeting business bank accounts.


No issues with customers linking Plaid.

If your company is ONLY supporting Plaid then your issue is that your smarter customers are leaving.


I can confirm this. I really want to use the trading platform Gemini but will never cave to Plaid.

Any organization that asks for your personal password is nefariously normalizing this behavior and building complacency in consumers to trust anyone with their private information.


I didn't sign up for Gemini for a similar reason - I couldn't add my BofA account. What's wrong with the old school "take a picture of a voided check"?


So, I'm imagining their errors and suggestions to turn off 2FA?


I need to go back and check, we might be in one of their test groups as I haven’t heard any issues with 2FA. We do a catch-all and based on the error, we prompt the user to manually provide their banking info to proceed.

Worth noting I don’t work for a financial services company so the use case is likely very different than the services you’re discussing.

Apologies if I came off strong, it appears I may be a one-off consumer as opposed to mainstream.


So, I guess, I'm not imagining things as I just tried again: https://ibb.co/KGMhFXF


I work for a popular european competitor of Plaid, Tink (https://tink.com). We don't do screen scraping, but use the banks' own APIs. These days we also ride on the european bank directive "PSD2" which gives us the right to aggregate financial data from financial providers such as banks. That means we aren't breaking an Terms of Services with banks!

...and yes, we support 2FA. ;)


This is a lot easier because European banks all use similar APIs (as far as I've been informed). The US has no such bank API standardization in place. Most banks don't have APIs at all.


Note that a SSL_ERROR_BAD_CERT_DOMAIN is shown when trying to access tink.com at the moment. Says the certificate is only valid for cloudfront.net.

Edit: the website itself also returns a 403.


Weird. Works for me now. ¯\_(ツ)_/¯


Lancaster, England, Windows 10, Firefox, working perfectly for me as well.


Works for me Chicago, IL, USA Chrome 79.0.3945.117 Useragent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36 Running on Debian Linux 10


Very cool! Maybe you could enlighten me as to why it seems that no one support Transferwise? They have an API but all this services snub them


does Plaid actually "screen scrape" though? I thought they did the same thing (use the banks API's)


Apparently they don't seem to do it with all their integrations at least: https://www.insider.com/jpmorgan-announces-partnership-with-...


Both Bank of America and Wells Fargo do technically have APIs, though they're limited in scope to corporate accounts for treasury purposes. I've applied for access to both and both declined to even a sandbox account.


Think what you want about the EU, but sometimes they have good initiatives.

https://www.eu-startups.com/2019/09/open-banking-and-what-it...


This is a sham. You need to go through lots of audits & other administrative BS in order to be declared an "AISP" even if you don't actually process banking data yourself and it never leaves the user's device.

Imagine PCI-DSS compliance but without the exception that you don't have to be PCI-compliant yourself if you don't touch card data and pass it directly to a PCI-compliant payment processor.


It might look dreary to you from a distance, but for us on the ground, it is working. My bank is already offering to show any other banks’ statements along my accounts.


It's only working for large, existing players, is his point. For me wanting to build automatic syncing to my budget tools, I'm still out of luck. They don't even let you access your own data.


That’s kind of expected, isn’t it? An integration you make could be potentially used/abused by others and must be thoroughly vetted. For personal use my bank offers daily CSV downloads.


> For personal use my bank offers daily CSV downloads.

Can you automate this? This is my point. Manual CSV exports are not a solution. Open Banking was supposed to solve this but it's a complete sham that is only there to make them look like they're doing something and benefit the existing incumbents.


Why is it a sham? TPPs (who are either AISPs and/or PISPs) process banking information for customers of participating banks. A TPP will typically provide some kind of service like a unified view of customer finances, and as part of that they're processing customer banking info.

It would be an unusual TPP where the data never left the customer's device. Usually there'll be a web service/web app provided by the TPP and the communications will be between the customer and the TPP and then the TPP and the bank (a.k.a ASPSP)

Whilst it's not perfect, it's a hell of a lot better, from a security perspective, than 3rd parties getting full banking creds for customers.


> It would be an unusual TPP where the data never left the customer's device.

Why? The scenario you mention (providing an unified view of a person's multiple accounts & credit cards) can perfectly be done on the device itself and negates plenty of concerns regarding security, the need for a backend, etc. I personally made an app to display my balance & transactions on my Apple Watch. It's purely local and doesn't even have a backend. Yet, I can't actually launch it "by the rules" because I need to become an AISP even though I never come in contact with actual banking data.

> 3rd parties getting full banking creds for customers.

This is clearly a stop-gap solution until something better comes around, and frankly it isn't the worst solution if you trust the third-party. At least it becomes the user's choice whether to share credentials instead of the bank or some other entity deciding who can and can't have access based on potentially stupid or anti-competitive reasons.


Purely on a customer device would be extremely difficult as the OAuth keys for obtaining the consent would need to be stored on the device, which isn't a solution that scales past one user, from a security standpoint.

The problem of customer choice is that customers are very badly informed about the relative security of services, so there's a market for lemons. If the bank has no liability, that's possibly fine (although it could be argued the bank has some responsibility to advise the customer), but if the bank has any liability for issues resulting, then they get a say in the outcome.


Why wouldn't it be good from a security standpoint? How do social media clients do it then? As far as I know they do oAuth too and so hold the consumer key & consumer secrets inside the binary.

Leakage of the consumer secret/consumer key alone doesn't compromise security as you still need the access token and refresh token which are per-user.


Truelayer (although a smaller company) is the equivalent of Plaid in EU.


You generally need to have good relationships with banks for them to allow you to use their APIs.


> does not work if you have 2FA enabled

Plaid definitely works with BoA + 2FA, at least as of about a month ago when I had to use it.


Just tried again as I don't wanna be accused of making things up: https://ibb.co/KGMhFXF


What type of 2FA are you using? I have the default (SMS based) and it works for me.


Same.


Are you trying to use a business account or something? Otherwise I have no clue.


I have both a personal and a business account, but the login is the same, and they fail at the login level, not after I'm authenticated. One cannot tell what sort of accounts are behind the account before you successfully log in.


I have no idea then, it's worked for me in the past - Plaid asks me to give them the 2FA auth code I receive via text.


> and does not work if you have 2FA enabled

Certainly false, at least for Bank Of America. Just yesterday I connected BofA to privacy.com using Plaid and it asked me to enter the SMS 2fa code.


It works only once as they relay the code for verifying account numbers. But it doesn't always work (both with BofA and Wells Fargo) and certainly not for continuous pulling of data.


Which is how 2FA is supposed to work. Perhaps they try to keep the session from timing out, but that is bound to break.

The solution is regulation to force Banks to provide customer data over an API to an authorized third party (preferably with 2FA on that too, and other security mechanisms, like mutual auth, auditing the security and probity of the subscriber etc).

Scraping is such a 1990s solution, and Plaid's Uber-like disregard for rules made it a non-starter for anyone sensible.

Ironically, while it might get systematic integration with VISA, the privacy implications are far worse.


It doesn't - I tried again just to see if I was imagining things: https://ibb.co/KGMhFXF


You can now enter manual account and routing numbers with Plaid and they will handle micro-deposit verification. They also now support 2FA for many banks. Plaid is definitely not great in some areas, but there really isn't a good alternative if you want to aggregate your banking and transaction data. Not in the U.S.

Very few banks have publicly-accessible APIs, and when they do, they likely won't return consistent data. There simply isn't a standard in the U.S. There are literally thousands of banking systems in this country. As someone who helps run a fintech app, I can assure you there are significant numbers of people who are simply members of their local credit union with very limited technology.


I'm surprised they still scrape Bank of America. A few months back (maybe a year), when they really pushed their API integration over scraping, a bunch of services (QuickBooks, Mint, Privacy) required me to reauth on my BofA accounts.

I assumed this was because they were switching over to their API, and that was the only way to pull data now. I could be wrong, it just seems weird that 3 different sites made me reauthenticate within a month or so.


Are there any APIs out there that show the separate amounts a counter credit is made out of (for Bank of America accounts)? We wanted to use it for importing transactions into our system but if several checks are deposited at once the amount would have to ne split manually as it comes in as one transaction.


I am not familiar with their API - possibly it's a crappy one, but I had one integration in the past (can't recall) and there's an area in your profile for authorized apps. I've done Wells Fargo integration, too.


pretty sure this is false, all my accounts are 2FA, and connected to a few different account aggregators (mint, personalcapital, etc) which i am prettty sure all use Plaid. Handles it fine.


Mint does not use Plaid, they have an in-house integrations system.


In house by intuit


My Wells Fargo account uses 2FA, and recently (November 2019) I was unable to connect a service to it through Plaid, getting an error that said my account type was not supported – or something along those lines.

They may have fixed it by now, I haven't tried more recently.


You can remove 2FA, login with Plaid, and re add it. This worked for me.


I'm already uneasy with the way Plaid works, I'm not also going to disable 2FA on my account to accommodate the broken way they access accounts (pretending to be a browser instead of using APIs). There are good, secure ways to grant access to resources, and giving your password to Plaid for them to log in to your account with reduced security is definitely not one of them and certainly not an attractive proposition.


Worst of all, it's a full access, not a scope-restricted one. Imagine somebody hacking Plaid and you disabling 2FA, because otherwise you can't use some of the fancy new services you saw on Product Hunt.


Worst of all, is their privacy policy.

> We retain information we collect about you for as long as necessary to fulfill the purposes for which we collected it, unless a longer retention period is required OR PERMITTED under applicable law.

It is not necessary to "hack" Plaid.


Yeah, it's the users who got hacked when they signed up.


It's all in the way Plaid connects to the banks - they do not systematically support MFA in their bank connectors; hence the issues you are seeing.


This works only if you want to do an account verification. If you have to continuously pull in transactions, it will fail, and ask you to "fix" the problem.


I am able to continuously transfer funds after the initial setup


So, you call me a liar? I have personal, my own business, and several accounts of a nonprofit I am an officer at. All have 2FA and none work. Intuit is a different story and I'm able to sync in bank transactions into it - not with Plaid-based services though!


I feel sorry you had to go through those replies telling you your statements were false or wrong. I think it comes from people who think that if it works for them, it must work for everyone else.


Yeah, I thought I'm imagining things, tried again, and this is what they say about BofA: https://ibb.co/KGMhFXF


Mint uses its own system I think. Personal Capital uses Yodlee.


I'm not a fan of how Plaid works either, but short of pushing for legislation mandating API for all banks, I doubt it will happen in the short term...


you can't rely on third party api for your business. IMHO scraping is the way to go


Plaid's better than using Finicity, which is even worse.


Finicity is actually the old Intuit screen scraping tech. It's been around almost as long as Yodlee. Not to impugn legacy tech or anything, but I suspect there's some cleanup to do there.


What's funny is that I can link accounts with Betterment, which uses Quovo, which got acquired by Plaid, but I can't with Plaid itself!


Plaid's product is absolutely absurd. Yes, please train your users to type their username and passwords into third party sites because they're given a legitimate looking sign-in box. US Banking infrastructure is so hopelessly bad that this is hack of a business is considered legitimate fin-tech.

My wallet was stolen and before I realized it was gone and could cancel my CCs some dude made like six obviously fraudulent purchases. No Chip and Pin - zero verification. US banking needs to be legislatively hard-reset.


I have a wallet attached to the back of my phone and it's the only thing I carry. Makes it tough to forget / not realize it missing since I need it so frequently.


So a single point of failure then?

It also means you are holding your cards on your time all the time you use your phone on the street, which is prime time for somebody to come and snag it out of your hand


it looks like a normal case, you can't see the cards.

not a single point at all, it's just a couple cards in the slot.


It's still a single point of failure.


So now if you lose your phone you also lose your wallet and are really screwed. It’s better to hedge your risk and keep important stufd in different places. It might increase the chance of losing something but mitigates the risk of losing everything. I think most people would prefer to mitigate the big risk instead of the small ones.


Also would make cancelling your cards harder if they were lost along with your phone?


I don't call banks, it's a terrible experience. I always use online chat or Twitter for that sort of thing.


I don't hear this type of criticism for Personal Capital or Mint, both of which collect credentials to catalog transactions.


HNers have been launching this criticism at Mint at least since I signed up for this website.

https://hn.algolia.com/?q=mint+password


This is just a bunch of questions asking how Mint stores the credentials; in the majority of these posts, nobody seems to be passing judgment.


Every time Plaid is mentioned on HN, people want to hate. My take is: don't use it if you're scared ?

A few of my friends were talking about Plaid the other day, and I told them I like the company/product, but "many people on HN hate it." They were perplexed and when I explained it was because you guys were nervous about entering your bank password into a third-party (yet reputable) company's interface (that's encrypted), they wrote it off as "being paranoid." Can't say I disagree...


Saying the company interface is encrypted so it's safe shows how effective this attack can be. One of the attacks would present you with a login box. You thin this is plaid and it is encrypted so it's safe so you enter your username/password. It turns out to be a different third party. Not to worry the hacker interface is encrypted as well. Another attack surface opened up involves data breaches at plaid where company employee dumps access to everyone.

It is probably the one thing you can do today that will at some point cause you lose money from your bank account.

It is not even paranoid. It's a bad idea to leave your bank access codes with someone else.

The less people understand how things work the more likely they are to trust it. This just opens up a new avenue for exploitation.


The point is not, I think, that Plaid is sketchy but that the banking infrastructure is so poor that you can build a billion dollar business based on screen scraping. There is a clear and obvious need for better API integration to banks but the banks themselves have been incredibly slow to provide this.


I've never used plaid, but in Germany there's a (I guess) similar service, Sofortüberweisung.

My problem with these services is not that I don't trust them - I know how bad banking IT is, they can't be much worse. What bothers me, is that they teach users that it's okay to enter your credentials into third party sites, a recipe for disaster.


“Encrypted” is not the same as “secure” and in practice knowing that data is encrypted gives you virtually zero useful information toward knowing if your data is secure.

I previously worked at a “reputable” company whose main product stores usernames and passwords for third-party sites. It’s a conceptually-similar product to what Plaid offers, but in a different problem space. These passwords were encrypted.

And yet:

* any developer or ops member could trivially have dumped the entire plaintext dataset

* there were multiple bugs discovered that would have allowed dummy accounts to quickly, trivially, and remotely dump the entire plaintext dataset

* if these bugs had been exploited, we would have had no way to know past a few weeks due to log rotation policies

* administrator passwords to systems were often just single English words

If anyone with ill intent had looked at this product for more than an hour, they likely would have discovered some of the bugs mentioned; one was pretty much just a

    GET /accounts/$i/passwords.csv
I have no particular information regarding Plaid that would lead me to expect they’re anywhere near this bad. I also have no particular reason to believe they aren’t this bad, but in my experience as a infosec engineer, the overwhelming majority of companies—even “reputable” ones—are far closer to the shitshow end of the spectrum than they are to the competent end when it comes to security. Even if they are competent it’s not that big a reassurance, because competent companies still get popped with depressing regularity. It still often just takes one mistake from a well-meaning engineer to introduce a severe security vulnerability, even in a company that generally takes security seriously.

Combine this with the consequences of a breach: if your credentials are stolen from Plaid and used to steal money from you, your bank, brokerage, or other financial institution can point to your use of this product as cause to deny your claim to have your funds returned. Essentially, they can point to Plaid as a violation of their terms of service, and hold you on the hook for any losses as you voluntarily gave your credentials to a third party.

Hell, even if Plaid isn’t breached and your account is compromised through other means, they can use the logs from Plaid regularly logging into your account to make the same case.


It shouldn't need your password. Better systems are possible that grant various forms of access without effectively giving them 'root', and such systems preserve your own protections.

See PSD2 in the EU, for example.


Plaid is an incredible company and provides a valuable service to their tech partners. That said, their data collection practices are scary. They allow any developer using their software to swallow all of a users banking data - I would love to know how they police bad actors.

(Source: https://plaid.com/legal/#privacy-statement)


Here is pertinent verbiage from the Plaid Privacy Statement.

Information we collect from your financial accounts. The information we receive from the financial product and service providers that maintain your financial accounts varies depending on the specific Plaid services developers use to power their applications, as well as the information made available by those providers. But, in general, we collect the following types of identifiers, commercial information, and other personal information from your financial product and service providers:

Account information, including financial institution name, account name, account type, account ownership, branch number, IBAN, BIC, and account and routing number;

Information about an account balance, including current and available balance;

Information about credit accounts, including due dates, balances owed, payment amounts and dates, transaction history, credit limit, repayment status, and interest rate;

Information about loan accounts, including due dates, repayment status, balances, payment amounts and dates, interest rate, guarantor, loan type, payment plan, and terms;

Information about investment accounts, including transaction information, type of asset, identifying details about the asset, quantity, price, fees, and cost basis;

Identifiers and information about the account owner(s), including name, email address, phone number, date of birth, and address information;

Information about account transactions, including amount, date, payee, type, quantity, price, location, involved securities, and a description of the transaction; and

Professional information, including information about your employer, in limited cases where you’ve connected your payroll accounts.

The data collected from your financial accounts includes information from all your accounts (e.g., checking, savings, and credit card) accessible through a single set of account credentials.


I never used Plaid, but it reads like information used in typical bank application for credit. Why would anyone willingly share this much without get something major in return?

Does Plaid bank the underbanked? I am not sure what their appeal is.


Simple. Just imagine that everybody is incredibly stupid and wants to be robbed and have their identity stolen. That's the target market.


Automatic verification of funds, of employment, of income. Plus you can have plaid automatically setup a stripe account in stripe connect, you’d be shocked at how many people screw up their bank account information when filling out a form.


Marketing dollars and partnerships can get a company a LONG way...


They provide data for things that are like Mint (but not Mint itself).


That's why VISA paid $4.5B!


I'm confused. Isn't that the POINT of Plaid?

Do they more than replace Yodlee nowadays where it's a SDK for people to scrap bank accounts? Like say if your an accounting app and need to import bank statements.


For some of Plaid's partners it is the point. Others are only using Plaid for a simple bank account verification.

Here is the list Fintech companies which use Plaid as published in the Visa Acquisition presentation. Many of these (like non-lenders) have no legitimate use for all that info.

Stash Dave N26 Monzo Acorns Chime MoneyLion Rainist Transferwise Robinhood Circle SoFi Revolut Etoro Clearscore Toss NuBank Square Cash Mint Coinbase Venmo Credit Karma


Slightly off topic, but worth highlighting. Privacy virtual card use Plaid (well at least the last time I looked at it a few months back). The integration was extremely questionable. They were faking the bank’s login page. So when you enter your credentials, it wasn’t the actual banks page.

There was a github issue opened, and after several followed up complaints they blocked further commenting and the removed then ticket.

Subject of the ticket [plaid/link] privacy/security concerns (#68)


Collecting actual banking credentials is how plaid works, quite literally. One needs to be clinically insane to give your bank login creds to a third party voluntarily!

I refuse to do business with any business that uses plaid and has no sane alternative to get bank account numbers (deposit two small amounts, three days later I tell you what they are)

First time i saw it, i assumed the website had been hacked. I was actually more horrified when I found out that this was working as intended and some website wanted my bank password!


Indeed. Sharing your banking credentials with a third party almost certainly violates the terms of service you agreed on with your bank. If the third party has a security lapse and your bank account is drained, your bank might just claim that you authorized that transaction with your credentials, so it's a valid transaction and they won't shell out their own money to refund your loss.

If in doubt, you should check your bank's terms of service for online banking.


> I refuse to do business with any business that uses plaid and has no sane alternative to get bank account numbers (deposit two small amounts, three days later I tell you what they are)

I'm a bit horrified this is still a thing, too. Doing this just confirms you have the correct account and routing number, so you can deposit and withdrawal. It won't allow you to see transactions--will it?

FWIW, a minority of banks have "linked apps" that allow you to revoke access from the bank's website (some are clear they're restricting it to read-only access). But I'm not sure how consistent or widespread this kind of thing is. I doubt if you're offering a service like Plaid you could rely on only supporting these institutions.


> First time i saw it, i assumed the website had been hacked. I was actually more horrified when I found out that this was working as intended and some website wanted my bank password!

This was my exact same impression. Even after some Googling and asking friends where I learned this was a thing, I was still very wary that it was legit.


(I work for Privacy.com)

We do use the Plaid Link widget (as do most other fintechs in the US). We don't touch credentials or handle the bank login page.

Commentary about the state of the US banking system aside, Plaid is pretty much the industry standard way to do instant bank account verifications today. However, we also have options to link with debit card and account / routing number if you're not comfortable with the Plaid route (totally understandable).


What about Yodlee? I'm under the impression that Yodlee is a bigger and much more established player here. Although Yodlee's API certainly isn't great.


It's been pretty widely reported that Yodlee sells user data to hedge funds and others. It's the main reason we didn't go with them.


I developed both Yodlee and Plaid integrations for a customer last year. I remember the Yodlee sales rep mentioning that over 75% of their supported institutions are direct API integrations. Now, this is coming from a sales rep so take it with a grain of salt.


literally this is how bad the industry is where this is an accepted practice? Wow Banks SUCK


Yeah, isn't Plaid basically teaching users to fall for phishing attacks? As with any account, the only sane advice is to only enter your password for account X into the website or app for X. Which is the exact opposite of the expectation Plaid creates.

Also, it's one thing for me to let a third party withdraw money from my checking account (if I provide my account number), but that doesn't mean I want to give them the ability to do things like change my password, disable 2FA, read my transaction history, transfer money out of my other accounts, cancel my cards, and so on — which they can if they have my password. That's just insane.


Do you have a link to thread in question?


If you’re referring to the github link, they took it down after several Complaints.

https://github.com/plaid/link/issues/68


Reminder... donate to the Internet Archive!

https://web.archive.org/web/20190510080449/https://github.co...


Will be interesting to see the terms for the acquisition and see if Mary Meeker's last investment for KP was a winner or not!

I'm cautiously optimistic for a good outcome for the Plaid folks here: last round was two years ago for $250M. Could they have been suffering $10M/month losses and are running out of money? Could be.

No offense to Visa, but I don't think of them as the most innovative organization or one that is a sign of a "good outcome" for a company getting acquired. I can't think of a good exit to Visa, but I am open to being wrong on that one.

Disclosures: worked at Stripe; dealt altogether more than I would have liked with Visa. Have no knowledge of Plaid's particulars.

Edit: Visa and Mastercard were strategic investors in the C round. Curious what the competitive dynamics were that led to Visa grabbing the acquisition instead of MC. https://techcrunch.com/2019/09/16/plaid-announces-strategic-...


Looks like the acquisition price is $5.3 billion[0], so it looks like it's a real winner for its investors.

[0] https://www.streetinsider.com/Corporate+News/Visa+%28V%29+to...


Nice to have the number to sate my curiosity! Thanks for the link!


> No offense to Visa, but I don't think of them as the most innovative organization

Visa is a $434B company. I guess "innovative" is subjective but their valuation trajectory has looked like a high growth tech co over the past 5 years.


That's kind of a weird thing, like my mental picture of Visa is indeed that they're a bit stodgy and behind the times.

But then the other part of me says that I clearly have no clue what I'm talking about, there's basically no chance they could stay relevant this long without being on top of it at some meaningful level. And potential quasi monopoly status doesn't quite capture it. So much of finance has been disrupted by technology, you figure if there's finance companies who wasn't disrupted, it must be because they are the technology.


All the POS tech is behind the times, because retailers don't want to spend the money to upgrade. But behind the scenes I'm sure their fraud detection etc. is quite reasonable.

It seems their main software division is in India and in the US it's mostly sales, servers, mobile, and POS support, suggesting that the company is focused on the bottom line and probably could be disrupted. For example Bitcoin is getting more and more prevalent. But it's going to take a while before supporting a new payment network is as easy as an over-the-air software update. And the recent trend in "disruption" is acquihires as seen here.


Visa is extremely unlikely to be disrupted. Their Network links almost every bank in the world. It would take decades for a competitor to sign up all the random banks out there. Furthermore the intermediate steps are not really that lucrative. It'd take tremendous up front cost and patience.

Apple couldn't even do it with their in-house credit card.


I'd argue that their weakness is governments more than companies.

Governments are eventually going to see "a foreign company owning our major payment networks" as a national security and sovereignity risk, especially if we end up in a multi-major-power world. They'll also eventually covet the data and the ability to disable "inconvenient" business. You might see it take the form of a government-mandated account (would Visa/Mastercard have taken off at the same angle if universal, instant direct debits were available in the US?), or just providing a glidepath for local commercial alternatives. Look at what Russia is doing with the Mir card.


Visa measures its downtime in seconds per decade. Whatever they’re doing seems to be sustainable and scalable. They work so well, people just take them for granted. ‘It just works’ is a pretty good business model.


It could just be that to be a payment processor, it helps to have a conservative, reliable image.


Speaking from experience, of all 3 major US card networks, I consider Visa the most advanced in terms of their tech.


their unfair advantage is being a front from selling data pipelines to hedge funds.


That's fair. 3x valuation growth in the last 5 years is tech company level. More or less the same trajectory as GOOG and FB.

It's not Stripe or Airbnb level growth, however.


That's just a function of their size. I guarantee you that Stripe and Airbnb's growth rates will drop to these types of growth rates if they hit the 100B valuation. The truth is when you are so large, the opportunities for growth become smaller and smaller. It's much easier to grow at high percentages when you are small. Buffet talks about this a lot with Berkshire; he has said he could grow Berkshire at a much higher rate if the company was smaller. Now he has to pass on amazing investment opportunities that are too small for him.


no one suggested that it was.

my point is that it's clearly not a dying dinosaur of a company. if anything, Visa has too much power in our financial system as more transactions are non-cash and non-ACH based.


Well the attractiveness of Visa (V), GOOG and FB is that they are all profitable companies that don't need "hypergrowth" because they own and control their target market.

FB and GOOG own a part of the internet traffic. Almost all of the worlds internet payments goes through VisaNet and is the fundamental processor of these internet payments and have been profitable for years.


Harder to have the same growth rate coming from a much higher base (already being worth about $100 billion five years ago)


% or $'s? You can't eat a percentage.


>competitive dynamics were that led to Visa grabbing the acquisition instead of MC

Quite possibly got overbid in that case, which would be a good exit. MC is no slouch in this space.


As a former Plaid employee with options that vested after I was shitcanned last year, this is some pretty welcome news.


Congratulations on your lucrative shitcanning!


s?he got plaid then get got paid!


You wouldn't usually expect to get paid after getting plaid.


Congratulations. Can we have some inside stories please?


You’re anon, and I was always curious in terms of $$$ how much did you end up with? At what stage did you join and how many options did you get? Very rare to find real data online about this


I'm happy to post these things, without identifying companies. I'm sure you could find them on my resume or linkedin but there'll still be some ambiguity.

Company A, 0.05% or 9000+ options vested, IPO, post-lockout sale at net ~$300k, was an early engineering employee

Company B, <0.001% or 10000+ shares vested, very late engineering employee, not liquid yet, hypothetical value in low-mid 6 figures

Make sure you do proper tax planning, taxes take an enormous bite, even with long term capital gains.


What do you mean by tax planning?

If your company IPOs they will withhold shares for you. Only thing to watch for is depending on your income they might underwithold. There isn’t much more to it than that.


I was taxed at the time of my grant, and then again on the gain when I sell. Had I put them in a self directed IRA i could have bypassed 6 figures of cap gains tax.


You can’t contribute in-kind to an IRA.


Actually that’s a great point. Depending on your company and your role in the company I’m sure there are ways to get around that, but that would require your company to play ball and get creative with you.


The ole mitt Romney.


My experience was significantly different. My advice is to consult a tax attorney and accountant with experience in these matters, don't trust the company to do it for you.


It depends on what form your equity is in. If you have options, you're responsible for taking care of your own taxes. (And the exercise+hold AMT mess is something to watch out for, though it's a little more difficult to fall into that trap now since the AMT exemption amount was raised.)

Even if you have RSUs (where taxes are customarily withheld), the company will withhold at the minimum statutory rates, which may not match up with your personal tax bracket.


Yes mentioned the company might underwithhold. I’m just suggesting it isn’t quite as complicated as it is being made out to be, from personal experience.


Anyone with a six-figure sale is nearly certain to end up owing more than they withhold (assuming you sell, which you probably should).

If a company hasn't IPO'ed, an 83(b) election may also make sense.


The IPO is a taxable event. You’re taxed at the IPO price, and your company should withhold shares based on that price.

After whatever lockup you have some fraction of shares remaining. When you sell those and if the price is greater than the IPO price then you have capital gains on whatever shares you still hold.

You still owe tax from the IPO. My point is the company will withhold shares from you, but you might need to pay more if they underwitheld for the IPO. This has nothing to do with your capital gains from selling your remaining shares.


The IPO is not a taxable event.


Parent is presumably referring to RSU releases at IPO which are taxable. You are correct that options and shares are unaffected.

https://www.amafinance.org/ipo/overview/


It's income, which in the USA is generally taxable.


You only pay tax when you sell your shares or exercise options.


IMO an 83b election only makes sense if you have negligible exercise costs. Otherwise, it's a lot of risk to take on an exit that may never profitably happen.


Eh, it generally can make sense if you can get QSBS, as that is so favorable.

All said, the better companies offer partial recourse loans to early exercise.


My point is that most employees at most startups are going to join after the earliest days, with option grants that will have exercise prices that entail a 4- or 5-figure outlay to exercise. Maybe this is just the east coast, but I've never worked at a company that makes loans to allow for early exercise. I'm not sure I know anyone who has had this situation. Even early exercise is relatively rare here.

This is days later, so not sure if you'll see this, but could you explain what QSBS has to do with it?


Exercising options has tax consequences.


Depends if you signed 83b or not. If you’re early you should always do that.


You can't always, not all companies allow early exercise.

If you've been at a private company for a while you may have options that have vested approaching the ten year expiration with a large spread between strike and the fair market value.

If these options are ISOs then exercise has a lot of tax consequences to get right (AMT particularly to save some money). If you have NSOs you've still got a lot of tax to deal with on exercise, but you don't have to benefit of getting some tax free below AMT.


What tax-planning resources did you find useful?


Consult an experienced tax attorney and CPA in your state. For a six figure sum the taxes make the cost of an attorney and CPA a rounding error.


I'm recently found out that California treats capital gains as normal income. No fun.


There are fewer than 10 states that don't tax capital gains at the same rate as ordinary income.

Most states tax capital gains at the same rate as ordinary income.

And then 10 states don't tax income at all.


Sounds like a great reason to relocate to a state that is more reasonable about income taxes than CA.


imo the cap gains treatment from CA is pretty normal compared to the majority of states.

The part where CA chases your stock grants/options for years after you leave the state is a bit less reasonable to me. (But I'd guess some other states do the same)


Right, the taxation mechanism is typical, but it's the amount that's onerous. CA has the highest state income tax rate in the nation. If states are going to tax capital gains as income anyway, it's all the more reason to move to a state with low or non-existent state income tax.


I'm curious, why shouldn't they?


Short term capital gains, yes.


I don't know about California, but NY State definitely treats long term gains as regular income too. You take the net capital gains number from your IRS Schedule D (total gains minus total losses) and copy it onto a single line on your NY tax form that gets added directly into your NY gross income. (There's no mention at all of long term vs. short term on the NY tax form - capital gains is just a single line item.)

(Everyone, including the IRS, treats short term gains as regular income.)


Long term capital gains as well


I'm interviewing with them this week. Any advice/warnings I should know going in?


do you think it’s worth it?

imo it’s hard to shake how awkward it is when everyone around you is rich and you’re being offered a regular salary that is now dictated by Visa HR


Also isn't there a chance you'll just get canned soon? The interview pipeline has existed separate from the acquisition efforts. Visa will have opinions on where they want to go from here.


I don't have data, just an anecdote.

I was hired by Sun. Just before my start date, Oracle announced they would be buying Sun. I was worried, but it turns out acquisitions are pretty slow processes. There was months of waiting for government approvals, then months more before the culture really started feeling like "Oracle" instead of "Sun."

In short, there's a decent chance that anyone applying now could be on payroll for months or years before Visa actually meaningfully changes anything about Plaid's workflow.


Brush up on k-means clustering. Also be prepared to drink the kool aid.


I heard a mobile engineer interviewed there and the question was go to wikipedia, implement ^ WITH tests in 1 hour. Lordy, they weren't bashing them because they didn't get an offer were they?


I support this big time.

Plaid is a complete joke -- "give us your bank passwords and we'll validate your account". Banks are an even worse joke -- "20,000 logins today from one IP address, nope that's not a scam".

Plaid customers are the worst. Like Transferwise, you cannot setup a business account with them without giving Plaid your business banking passwords. What company treasurer would allow that?

Now that Visa is holding the bag this fixes two problems:

1. For customers, there is less risk that Visa will steal all your money than some "fintech" startup 2. For Plaid customers, they may realize Visa is buying this for the data and they may think of Visa as a competitor and not want to support them.

---

Because "just give us your sudo password to install software" and "just give us your bank password" to send money is a thing... the obvious dumber people in the future will have to do "just sign this power of attorney to create an account with us."


do you really think a billion+ dollar company (Plaid) would "steal all your money"? That's a pretty silly statement. More realistic to think they have shitty security practices and could be hacked. FWIW, I worked at a large bank for over a decade and a fintech after that, the fintech had better security practices.


> Banks are an even worse joke -- "20,000 logins today from one IP address, nope that's not a scam".

Banks (at least the big ones) often block aggregator traffic. This is resolved after speaking with them. The usual resolution is to whitelist specific IPs for massive traffic.


working with banks every day how in the heck did this pass. WOW


So, pertinent question. I want to move my account to a bank which gives me an API so I don't have to deal with Plaid or Mint. I.e. I want data privacy. I want to build a personal dashboard of where my money is going.

Any suggestions?


> Any suggestions?

Lobby your lawmakers. Banks have no incentive to provide open APIs.

For example, in the UK banks did nothing until they were forced to - the market regulator now requires the nine largest banks to provide an open API (https://www.openbanking.org.uk).


Open Banking is a sham. It mandates account access for "AISPs" which need to be registered, audited, etc which is unfeasible for a solo developer especially when releasing a free/open-source product. Worse, it doesn't actually mandate your access to your own account, so that still depends on the bank. The modern banks provided APIs even before open banking so we're good, but the legacy ones still don't provide personal APIs.


It's not ideal, but I wouldn't call it a sham. Vulnerable users' banking details are highly targeted by fraudsters, and I can see the concern from lawmakers that making it mandatorily open to all via some oauth style flow (for ex) would limit the banks from controlling access to scammers.

The law doesn't restrict the banks giving access to non-AISPs and, like you say, many of the modern banks do have personal API access, it just sets a minimum bar you have to reach before they're forced to let you in. It seems like a pragmatic middle ground.

What is bad, in my eyes, is the law currently only applies to the CMA9.


If you find one let me know. That was the promise of Simple Bank when they launched. I've been with them around 7+ years now and a couple years in they quietly removed that claim from their website and support responses said they weren't working on it anymore. They are still a decent bank but API access never materialized.

In fact I randomly came across me bemoaning this fact 5 years ago lol [0]. Also at one point I wrote my own small wrapper to access parts of their internal API [1] but I haven't touched that in years so I seriously doubt it still works at all.

[0] https://news.ycombinator.com/item?id=10623628

[1] https://github.com/joshstrange/simplebank


I must say I was quite surprised when I read this comment. In Germany we have FinTS [1] with an open specification and I'm not aware of a single bank that doesn't support it. It's been around since 2002 [2] and is based on HBCI, which became available in 1998 [3].

I suspected it might be different elsewhere, but I had no idea that the situation was so dire that you had to actively go looking for a bank with an API.

[1] https://en.m.wikipedia.org/wiki/FinTS

[2] https://de.wikipedia.org/wiki/Financial_Transaction_Services (German)

[3] https://de.wikipedia.org/wiki/Homebanking_Computer_Interface (German)


FinTS does not solve the problem of (scoped) authentication and authorization at all.

It merely provides a standardized interface to access account data or initiate transactions, but it still uses a plain username/password login to authenticate.

Even that it does not do particularly well – the protocol is horrendously outdated and does not support "recent" inventions like credit cards on many popular banks, which means that banking aggregators have to fall back to screenscraping anyway.

However, this will hopefully change soon with PSD2/SCA, which does mandate such secure account access (based on OAuth2, if I understand it correctly).


I believe https://monzo.com/ is aiming for this

Developer docs: https://docs.monzo.com/

I'm not currently aware of a US bank equivalent


In theory, you could use OFX, which is an open standard that powers the "Download transaction" feature of Quicken/MS Money

In practice, banks never tell you the address of their OFX server and you have to rely on community compiled database (eg ofxhome); many banks' implementations are iffy; some banks even charge you for enabling OFX support on your account. In the end it's just so much easier to outsource this to Plaid, which is why they are a billion dollar business.


You could try Actual [1], which stores your data locally. It does however go through Plaid. Would be interesting if there was an alternative option to screenscrape your online banking portal.

[1] https://actualbudget.com/


However, it seems, that isn't even out yet:

"Bank syncing is a critical feature that is coming soon!"

You can manually import QFX/other standard formats though, but not all banks have exports of this, and it's very manual.


What about OCR'ing (or extracting from an electronic PDF) your bank statement each month and then parsing the data into your desired format? You could add tags, metadata, etc. as well.

I'm thinking of something where you download your statement (usually available in PDF form) and then drag it to a web interface where it then gets OCR'd and processed.

A bit more manual, but the upside is you're not leaking your creds and you should also have access to more data (banks have to provide statements and they usual provide them going back many years).


Every bank I use provides _some_ sort of structured data export (at the very least a csv, and in most cases a more finance-specific format (OFX, etc). I'm not talking "modern" banks here, either (Ironically, the most modern bank I use, Aspiration, only provides exports in a non-standard csv format)


Have you tried AutoEntry? Might be the solution you are looking for. https://www.autoentry.com/


Check out Mintable: https://github.com/kevinschaich/mintable

It uses Plaid out-of-the-box, but it has a pluggable provider model for other data sources: https://github.com/kevinschaich/mintable/blob/master/docs/PR...


Monzo or Starling in the UK.

In the absence of APIs from most banks, it would be nice if there was a client side personal finance web app that allowed uploading .csv or pdf statements, and scraped those for you locally, perhaps with the option of using your own Google Drive or Dropbox as a persistent storage backend beyond browser localstorage.


Just do what Plaid does and scrape it. Your bot could also download a csv file.


In the UK I'd suggest Monzo or Starling Bank.


the only way atm would be to sign up for email notifications for any transactions, and parse the emails to get relevant data

there are a few issues though:

1. some banks only send notifications for transactions that are over a certain amount (eg BofA is >$25)

2. the merchant name is arbitrarily cut-off (based on char length), so you don't really get reliable merchant info


You could parse SMS too.


Yeah, I'll second this. I figure we're talking headless browser scraping of online banking portals.


Have to say I'm not a fan of Plaid at all.

Dark patterns galore. Absolutely no indication when you go through a Plaid flow that you're likely giving away much more than just the bare minimum account numbers to push money in/out of your bank account. Often, you're also giving away transaction data, identity, real-time balance, etc. There's no way to know prior to linking your account.

I had high hopes that would have made things more transparent given the new CCPA laws that went into effect on the 1st but have not seen anything change.

Edit: I think the 4D chess move here by Visa is the amount of data Plaid has. Bank transaction data from all types of transactions, not just Visa ones, is massively valuable.

If people were concerned about Google acquiring Fitbit data I would be incredibly concerned about Visa basically buying all financial transaction data...the FTC should really investigate the acquisition.


I have been interested in the idea of and open API for banking (one which supports Canadian banks would be preferable, as I am Canadian), and I have had a few ideas for application's to implement with Plaid. I keep reading feedback about Plaid on HN similar to yours though that make me less confident in the product.


Keep in mind every pull for transactions will cost money so you need to charge enough per month to cover those costs. It’s closer to $1 than a penny like most APIs.


Yikes, $1 per transaction pull? Wonder if there's a way to only pull transactions when a charge for a specific vendor comes across.


I’m personally a bit surprised that banks haven’t embraced U2F / WebAuthn as a way to disable Plaid.


On the contrary - Banks are falling over themselves to embrace Plaid, Finicity, Decisionlogic, Yodlee and all their ilk because failure to do so will result in the departure of their customers to a bank that supports all the new fintech apps that rely on these API providers.


No, if anything banks have been catching on to Plaid and many have decided to stop supporting it e.g. Capital One has been on/off it for years.

Banks aren't exactly happy that their API is basically scraping their website, for very valid reasons, including the customer's own security.

If enough of the big banks decided they had enough of Plaid then it would present a massive existential threat to the business. If anything, I think that threat is a reason why they wanted an exit sooner rather than later.


Capital One removed common banking functions on my account about a year or so ago. I can no longer bill pay vendors and exported statements don't even match the UI. So I wouldn't use them as a model. Their online Spark account is terrible.


I guess this is part of why they would welcome an acquisition by VISA. They instantly have a generous benefactor to open all the doors to the various banks.


Or PSD2 will make their tech outdated. Europe’s push for open banking may not be fast but it is relentless.


Big Banks want to block all this stuff. It’s both a security risk and also reduces the friction to migrate banks. Alternative to plaids ach verification is micro deposits which takes at least 1 days to verify the account. Banks have negative NPS score and people don’t move because it’s a lot of effort including moving all your bill pay info etc.


I agree with you. When I used their cc statement 'API' about a year ago there were less than 5% of my transactions showing up -- why? because Chase added a promotion to their statement and Plaid's scraper wasn't expecting it

Have to imagine my statements hold more value than their scraping algo


2D chess is actually quite complicated.

Buying a company to get its most valuable assets is less complicated than that.


As long as banks have no incentive or are forced to provide API's, I doubt this will change...


Why is a duopoly like Visa/Mastercard allowed to make acquisitions in its own space?


It's not a duopoly? In the US, AMEX and Discover aren't that difficult to use, and a fair amount of retailers accept in-house credit accounts and international creditors like JCB and UnionPay. Payment via debit networks is still very common, and low-tech forms of payment such as cash and checks are still acceptable in many use cases.


Amex and Discover are different as those are closed-network.

I think it's really hard to argue Visa/MC is not a duopoly. Unfortunately anti-trust enforcement in the US has been more political than anything.


I would say this is an example where a duopoly is useful for consumers. The duopoly allows consumers the ability to use a credit card pretty much anywhere they want in the US; This is pretty convenient if you use a credit card responsively. It is also a better solution than the old days where you would have store cards or a store account. (I am not saying the duopoly is great because these companies are a massive headache for businesses, and increase the cost of things)


>I would say this is an example where a duopoly is useful for consumers. The duopoly allows consumers the ability to use a credit card pretty much anywhere they want in the US

Going by that reasoning a monopoly would be even better, as the card would be accepted everywhere.

The consumer pays by lack of innovation and high scheme fees.


closed network?


You only get discover & Amex cards from those companies whereas Visa & MasterCard are networks that other people can “buy into”, ie your bank card (or credit card offered through a bank).

IMO not super relevant to topic of competition, there’s 4 networks, the fact that two of them are structured differently doesn’t really have impacts on sellers & customers (other than that the two open networks are significant larger, visa & MasterCard)


This isn't quite true, I have a BVAA credit card that uses the AMEX payment network and I used to have an FIA Card Services credit card that used the AMEX payment network (the old Fidelity credit card)


You’re right, it’s weird, American Express has literature where they talk about being a closed loop network and apply that definition. Maybe it’s more appropriate to just say that visa and MasterCard don’t directly offer credit cards.


There are starting to be a lot of Amex network cards are offered through other banks, with everything from Wells Fargo to Credit One (the first is one of the largest in the country, and the second is a basically a scam).

Discover also does this, although there are less available. Here is an example through Comenity in partnership with True Value: https://d.comenity.net/truevaluediscover/pub/Home.xhtml They used to do something similar for a card with Wal-Mart.


Visa is 54% of all card purchases, Mastercard is 23%, and together they're 100% of debit purchases.

Waaaaaay past any reasonable threshold for market power scrutiny.

But antitrust is currently dormant in the USA.


Discover and Amex debit cards exist.


Not sure what relevance that might have. It's antitrust law, not "monopoly law", and there's no legal requirement that no competitors exist in order for the law to be involved. Antitrust law is about market power, not some imaginary narrow definition of "monopoly".


I was simply refuting the claim that 100% of debit purchases are Visa + MC.


Plaid scrapes bank credentials to enable challengers vs banks. VISA seems to be officially taking a stand with fintechs and challengers. So a bank can no longer piss off VISA & refuse scraping.

But here's my bigger bet. Using this, VISA will launch a competitor to FICO.


It'll serve as a means for VISA to even more strategically target customers for its financial products/services.


Plaid and the broader explosion of white-label fintech infrastructure is great. Ultimately, it increases the number of companies that can enter the space and provide more competitive loan management tools, decision engines, identity verification, credit, wealth management, and so on to consumers. License the most complex/costly infrastructure, and then progressively swap out those vendor provided capabilities with internal platforms as they scale up (e.g. Revolut).

There's still lots of problems to solve in the connectivity space that Plaid sits in, and the pursuit of some kind of unified open personal finance data standard isn't really on the table for those steering the big initiatives (e.g. FDX). This is mostly due to the variety of the data and number of players (tens of thousands of institutions). For more on that, this interview with Jeff Leathers, founder of Quovo, a similar company that was acquired by Plaid in 2019 is not a bad listen:

https://medium.com/wharton-fintech/podcast-with-lowell-putna...


Plaid is the scraping app US fintech startups had to use before https://teller.io (which uses the bank's own native APIs and therefore goes down way less) launched there. Good timing for the Plaid exit. Teller will eat their lunch.


Abstracting away from this specific case, it is IMO just another example of potential very significant and real risks of being reliant upon cloud or, more generally, technological platforms operated by potentially acquirable companies. While some acquired companies remain relatively independent and continue offering original products (in short-to-medium term), many don't [I have compiled a long list of case studies ...]. And if this (along with IT security) doesn't make most CTOs and/or CIOs to wake up in the middle of the night, then I don't know what does. Industry consolidation is IMO a pretty scary, but probably inevitable, trend. I think that the safest approach (sans some corner cases, e.g., a unique technology) is to build one company's technology platform on an "unacquirable" technology infrastructure (for the cloud, that would be AWS, Azure and, to somewhat lesser extent, GCP). Thoughts?


Curious what happens to options that are yet to vest when a company gets acquired like this? I had a potential offer from them and I'll be losing some sleep tonight :(


It probably depends on the terms of the acquisition, but here's one data point: when the company I work for was acquired, all options were vested immediately and purchased by the acquiring company. So, options => cash.


There's some flexibility, but often the unvested options in the acquired company are converted into unvested options in the acquiring company on the same schedule.


> often the unvested options in the acquired company are converted into unvested options in the acquiring company on the same schedule

Yup, and I'd clarify that the new options aren't 1:1, but calculated based on some price-per-share of the acquired company.


They are talking about potential offer. There is no agreement between the two sides.


From the documents at: https://investor.visa.com/events-calendar/Event-Details/2020...

Deal is

* $4.9B cash consideration

* $400m retention equity as VISA RSUs


Congrats to Plaid!

Overall, I'm no fan to these scrapers. Apart from the army of engineers (internal cost) required to maintain them, on the outside they sell a promise that is putting user's privacy at risk. This is especially prevalent in the bookkeeping space.

Many "me too apps" stitch their services using Plaid to provide bookkeepers with bank feeds & statements for their clients.

Other's use Xero's HubDoc (which Xero paid 70m for few years back) which basically does the same thing; scraping financial statements from many online services using a combination of tools and humans. It's a goldmine for hackers; plain text logins are stored in their database to practically many online accounts owned by business owners.

Amazing to what degree people will go to to save few hours of labor each month.


Visa's presentation on the acquisition:

https://www.scribd.com/document/442819888/Visa-Inc-to-Acquir...


That's interesting... 200M accounts on Plaid.

You gotta figure that's near the top of the S-Curve, right? Very close to 100% of the TAM in the US, and I would imagine that global expansion is costly given banking regulations in different regions. Visa already has the reputation / relationships to push forward there.

Congrats to the team!


Do the early employees get a huge payout on their options?


Perhaps they'll just get visa gift cards... ;)


Even if they had really shitty agreements I bet they'll see something substantial. Reports are saying it was a 5.3 billion purchase price. That's a lot of money for 400 employees.


Having 400 employees doesn't say much about how equity is distributed, though. E.g., (made up numbers, I know nothing about Plaid's comp specifically) if an employee gets 1 basis point over 4 years, that's 0.01% * $5.3 billion / 4 = $132,500, which combined with a startup salary might land you at around Google L4.


Unless plaid's equity structure was very unusual, early employees (at least in engineering) certainly received much much more than 1 basis point.


Sure, but what's early? I don't think it's unheard of to get to O(1 basis point) at 100s of employees.

I've seen an offer at a ~50 person company for 1-2 basis points.


The early employees will get millions of dollars. This is 1)an unreasonably large amount of money for anybody to make or 2)nothing compared to the billions that the founders and venture investors will make.


Really don't like Plaid because they normalize phising. Surprised they aren't being condoned for this.


I think you mean "condemned"? To condone is to (often implicitly) approve of something that is ethically or morally dubious.


Yes, I think condemned is probably a better word!


Guess they survived the 3.5 year security risk [0]...

>7 points by Rainymood on June 21, 2016 [-]

>I'm going to be really rude here (forgive me) but I feel like every time a security question comes up you dodge the question really hard.

>I want to know one thing: If I log into your service with my bank credentials. Do you store these as plaintext files (or "encrypted" files of which you have the encryption key)? Yes/No.

>Furthermore, congratulations! I've been trying to start something up like this in Europe but I feel like there are way more restrictions in Europe on banking data and this kind of third-party aggregation. Sorry for being so rude.

Here is some previous news on Plaid on HN.

* 2016-06-20 Fintech Firm Plaid Raises $44M (wsj.com)[1]

* 2018-12-11 Fintech startup Plaid raises $250M at a $2.65B valuation (techcrunch.com)[2]

* 2020-01-14 Visa Buys Plaid (wsj.com)

[0] https://news.ycombinator.com/item?id=11939103

[1] https://news.ycombinator.com/item?id=18654880

[2] https://news.ycombinator.com/item?id=18654880


Visa invested in their Series C[0], so it seems unusual that they'd also acquire the company (why not acquire it back then?). Any ideas why this might have happened? Past examples?

[0] https://www.crunchbase.com/organization/plaid#section-fundin...


> so it seems unusual that they'd also acquire the company (why not acquire it back then?)

Not unusual at all. Pretty typical for CVC in fact. Couple of factors:

1. CVC (Corporate Venture Capital) typically tries to invest in similar markets of companies that either are competitive or pseduo-competitive (think of it as a hedge). For example, this would be like PayPal investing in Venmo.

2. It's cheaper in the long run for a CVC to make 10 of these bets to find that one that doesn't kill their core business model (usually a cash cow). That's why you see Ford/GM putting money into self-driving car start-ups.

3. They were probably not at the level of scale ready for Visa to take them on at the time of the Series C. This was basically a down-payment for their eventual acquisition. It basically "you're too risky for us to buy, so here's some money that we can write off if you end up failing, but if you do fail, we don't have to deal with all of the crap that goes with a failing bus unit (layoffs, compliance, etc).


Great points (as well as the other comments).

I'm curious to learn more about strategy here since Paul Graham says there probably aren't more Googles because companies are acquired too soon. Facebook is famous for the Yahoo! offer. Stripe would have been a great acquisition (if they would have accepted any).

http://paulgraham.com/googles.html

https://twitter.com/paulg/status/403183731449413632?s=20


I’d speculate this is likely a result of one or both of the following:

1. A de-risking strategy. Investing early effectively discounts a future acquisition, but doesn’t go so far as to bet the farm on the businesses success. They would also gain very early and regular access to financials that would tell them if it’s worth the follow-up plunge or if it is on its way to bust. 2. The founders thought there was more room to grow independently, but wanted to keep Visa friendly and close to home. Best way to do that is to change an acquisition conversation into a partnership/investment conversation.


They wanted to see what Plaid could accomplish with a little more money (and time) before spending a lot of money on the company. They liked what they saw and wanted full control.

Or they realized Plaid was becoming too valuable to its competitors. Or they didn't have the cash available at the time. Or Plaid didn't want to sell at the time.

Google Ventures participated in funding a number of companies that Google later acquired.


Make sure it worked. Also, Plaid didn't have any data to buy when it first started. Now, they have tons of data.

Had Plaid only been mildly successful, Visa likely would have just continued to let it run and get back its investment. But, now they have a decent amount of transaction data among other things, possibly making it more advantageous to own it outright than hope you can be one of many partners getting access to that data.


It seems like their investment might have been a way to dip their toes into the water. It probably allowed VISA the ability to do their due diligence and assess whether the Plaid team would execute on the stated vision.


Open Banking Standards in Commonwealth Countries will make the need for these scrapers redundant and limit the tools use to the US only.

Never been a fan of scrapers. Very unreliable and a big security hole especially when MFA is used.

I wonder if the tightening data privacy regulations (CCPA et al) forced them to sell or whether it was just a good sale opportunity.


There is a service like this in Australia, POLi. It's used almost exclusively to facilitate EFT transactions to vendors that can't use the regular channels like PayPal, local Banks, or Mastercard/Visa. ie. Porno, gambling, bitcoins, drugs.

I learned about it by working in gambling. I cannot believe that people are OK with just giving their online banking details to a company. It's insane! but people are willing to use it because there is almost no other way of getting the product they want.

Take the legislative risk out of handling those types of transactions, and shit like this will disappear.


Who uses Plaid for ACH verification must start to think on alternatives. Visa blocked PayPal to growth its ACH payments a few years ago.


"but that ignores the path dependency of one market using cash until recently, and the other receiving unsolicited Bank Americards 51 years ago. Once a job is done — and credit cards do their jobs very well — it takes a 10x improvement to get users to switch, and, in a three-sided network, that 10x is 10^3."


ACH services using any kind of API is and has been a pain today.... Im using intuit and they have no good API, it forces you to do a redirect similar to paypal. You basically have to write your own screen scrape tool to integrate with these people.


Didn't know such a thing existed till now. They took the feature that mint and others built early on and turned it into a business. Awesome. Have no idea how good it is but a multibillion dollar exit is great.


Pretty sure Mint was built on Yodlee, a Plaid competitor


I’m wondering if this will make Plaid’s pricing more or less opaque. Right now it’s go build it and then negotiate a rate. I think they would get a lot more uptake if they had upfront pricing.


Nearly every large SaaS company has opaque pricing because price discrimination allows them to make far more money than they would if they had published prices.


The WSJ updated the article this links to with the transaction price, $5.3 billion, "Visa to Pay $5.3 Billion for Fintech Startup." Maybe the HN title for this item should be updated?


Plaid is trash. Doesn’t work with 2FA and is super unreliable. It’s crazy that a project with so many faults could be financially successful.


Banking regulators should mandate open banking APIs and default-private, non-sellable transaction data. The fact that they don't means that they don't work for us, government has been turned into a tool to enable and encourage rent-seeking. The "deregulation" obsession in this country is turning us all into modern feudal serfs, we have no option but to toil in our Lords' properties without recourse.


It would interesting to know if the employees saw any for that money.


This is too bad if they sell this prematurely


5.3 billion is not premature. That's a fucking jackpot for a company that only raised 350MM.


I wish them well - could they have grown to be much more?


Plaid?

Edit: I guess I’ll look up their homepage, and try to scroll through the marketing speak to figure it out. Seems like it would be nice if someone in the know could just tell us.


Congratulations to the Plaid team!


Still waiting for the Zelle API.


Please I wanna know how to work


http://archive.md/tQfZJ


I wanna know how to work


So visa has been plaid?


For $5.3 Billion!!!


Heard they were offering .1 percent for senior software engineers 6 months ago. Congrats guys!

(source:https://www.teamblind.com/post/Plaid-acquired-by-Visa-for-5B...)


FFS...can anyone run a business these days without XYZ company getting acquired.


At least we'll be able to say... They've gone into plaid!


When I was a kid, I always laughed at the "F*, even in the future nothing works" quote. Now that I am a software engineer, I just get sad.


i always hope that new exciting companies will work towards a sustainable business model that can exist without a buyout from some mega. i understand that its difficult to start a business, much less a sustainable one, but its sad to see such promising companies grow into a pitch instead of a business.

maybe its a good thing i didn't get hired for their SLC office, because i would have quit over this.


Out of curiousity, why would this acquisition be a reason to quit?


to me this move indicates weakness. its a fine exit for the early employees and the executive team, but there's no reason to sell if you have a solid business plan and a realistic vision for future profitability. maybe the only vision for the future they want to pursue involves some expensive investment or the business was built on massive debt that can only be paid of in this way.

i want to be a part of building something that can survive as an independent entity. selling is an admission that this is either not a goal or not possible given the current position of the company. both of these are against my ethics. why should i stay at a company that has openly admitted that they are incapable or unwilling to pursue independence?


At this point, what difference does it make? Visa can survive as an independent, profitable entity by your criteria.

> but there's no reason to sell if you have a solid business plan and a realistic vision for future profitability.

They had 5.3 billion reasons to sell. With an acquisition offer that high, it's not about the company's ability to survive independently. It's about doing what's in the best financial interests of the company and employees.

> i want to be a part of building something that can survive as an independent entity. selling is an admission that this is either not a goal or not possible given the current position of the company. both of these are against my ethics. why should i stay at a company that has openly admitted that they are incapable or unwilling to pursue independence?

Your distinction is a bit arbitrary. Plaid wasn't a fully independent company after they took significant money. Take a look at their board of directors. Only 2 out of 5 board members were Plaid executives. They had already "sold" part of the company when you applied.


i didn't say "fully independent" i talked about a willingness to pursue independence. that's the difference that i care about. i value independence more than money. you do need a certain amount of money to be autonomous, but its about end goals. i don't agree with the end goal of "make the best business deals for the biggest amount of money". besides, long-term you make way more money if you are independent. i have respect for visa and i'd work there because they do value independence, but i wouldn't work for a subsidiary who couldn't hack it as a competitor.


Anyone know if this acquisition is a win for Plaid, or are they are just panicking before bank API middleware becomes commoditized (e.g. http://paysli.com/ offering free authentication)


I see a lot of hate for Plaid here. I was my understanding that the only reason you would really ever use Plaid is because they were able give programmatic access to flat-rate fee ACH payments of basically any size. Obviously they were never something you could compare to Stripe. I wonder what's gonna happen with in the near future, especially considering Plaid was obviously stepping on the toes of the interchange-rates of the likes of Visa.


Plaid provides an api to access transaction history and verify bank account ownership.

They don't do ACH transfers.


https://fin.plaid.com/articles/inside-ach-payments-with-stri...

"""To get started with ACH payments, you need a system that can connect you (the originator of the ACH transaction) with an Originating Depository Financial Institution (ODFI). Additionally, that system should be able to give updates on the status of the payment and give the developer an interface to authenticate, verify, and charge the user on demand.

That’s where Stripe comes in. In January, the payments infrastructure giant debuted support for ACH payments through its platform alongside a partnership with us here at Plaid. Now, Stripe users can authenticate their customers through Plaid (or, if they must, micro-deposits) and then charge them through ACH."""

Am I misunderstanding something?

EDIT:

Okay so maybe they weren't doing the transfers, but they were certainly facilitating them and adding to the adoption of more ACH based payments (which means less credit-card payments). Same conflict of interest applies. What does Visa care about bank account verifications?




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: