Co-founder of Plaid here. This is not true, we do not sell transactional data to third parties. We make 100% of our money by letting developers build financial applications[1].
And just to point out, there are others that do sell this as part of their business model, so kudos to Plaid for trying to find another way.
https://www.forbes.com/sites/petercohan/2018/07/22/mastercar... (Another "Forbes Contributor" article, so grain of salt on the details)
I do think these aggregated services are a net benefit to the fintech ecosystem overall. However, any service that uses a Plaid type service still could be selling transaction data to third-parties. For instance, Acorns:
>>> Acorns uses Plaid Inc. (“Plaid”) to gather your data from financial institutions...
>>> Acorns and Empyr will use transaction information from your Acorns debit card in connection with the Found Money Plus program as follows:
... to provide participating merchants or Empyr aggregated and anonymized information relating specifically to registered card activity solely to allow participating merchants and Empyr to assess the results of their campaign(s);
That means they are only sharing data from your Acorns debit card, not your external bank accounts. The Plaid part is separate from the debit card/Found Money Plus part.
You also omitted a key quote:
>when you activate your Acorns debit card, you will be asked to enroll in Found Money Plus, a card-linked offer program offered in partnership with Empyr.
The Found Money Plus program is only for transactions on the Acorns debit card, and it is small bonuses for specific spending, for example, 10% cash back at Starbucks. It looks like a company called Empyr organizes these campaigns for the card link offers.
The Acrons debit card is also optional.
If you're getting cash back on a transaction you know the price is sharing your purchases, this concept isn't really new.
You may not sell the data but you give developer's access to bank balance, transaction history, and income streams. Essentially some of the most private aspects of a person's life.
Seems legitimately useful for personal finance tools or loan providers.
However, I know your API is being used by point of sale systems. Seems super unethical for point of sale systems to access any info beyond, is this the right account, does it have enough money. I just hope you're enforcing some kind of restrictions or at the very least warning consumers what they're giving the merchant permission to access.
As long as you're transparent about it in a 30 page ToS then it's all good. Because when you go to checkout at a cash register, you're going to stop and hold the line for an hour or more and read that page.
Not an exaggeration btw, my print dialog estimates that page to be 27 pages printed.
While I'll assume this is only of the customers of a particular product, it is still worrying as many customers may not understand that fact as you are not transparent about your role and the access granted.
It fits 100% in what he's saying. The API grants the developer of the application access to the account history of whoever's logged in. This in no way establishes they are selling anything to any third-parties.
First, I don't think this is usually what is meant when someone is claiming an entity is selling data. My normal interpretation would be that if a company is "selling my data" then they are selling that data to parties I have zero contact or reason to think they would have my data.
I understand what you're saying, but I think it would be less confusing to keep the idea I described above and what Plaid is doing (AFAIU) distinct.
More specifically I understand it as: If I engage with some entity/company/developer and give them the permission and secrets necessary to access my account, they can pay Plaid to make use of them on my behalf in the process of doing whatever it is I gave them that access for.
This activity is, and always has been to me, completely distinct from the activity of "selling my data", although it could result in the one I authorized to access my data through Plaid turning around and selling my data.
When you enter into a transaction using your bank, someone who is not a party to that transaction can see it, and they pay for that access.
Under any framing, that's a third party paying for access to your transaction data.
The user hasn't opted-in if the co-founder of the company is telling people it doesn't happen. It's only opt-in if the user knows it's happening and agrees to it.
If I'm using a financial app, and it pops up with a "App Foo wants to use Plaid to link to your bank", and I go in and enter my banking credentials into that dialog... you're arguing that I have no idea what I'm doing and aren't consenting to anything? Huh?
If you're so confident, go survey Plaid users and find what percentage are aware that Plaid makes money selling their financial transaction history to developers.
Then ask yourself why the founding team goes around and tells people they don't do that.
That'd be a very misleading survey question, as it heavily implies they're selling it to other developers the user didn't engage with at all.
"Are you aware that connecting app Foo to your bank account gives app Foo access to your transactions?" is likely to be met with a resounding "no shit, that's the point..."
So your claim is that the average person on the street understands that if they send someone money on Venmo once, then Venmo gets 24 months of their bank account history?
And your claim is that the point of the user signing up to Robinhood or Venmo is to give Robinhood or Venmo their entire bank account history for the last two years?
I find this implausible. You have an empirical claim. You're welcome to test it.
Thanks for speaking up alehul; for what it's worth, I think it can often be interesting to later reflect on these moments of apparent shame and embarrassment, especially in the context of attempting to speak truth to power.
Accountability and transparency is important long-term; as is questioning possible abuse or misuse of power. Don't be afraid to continue to do so!
Also, always use Hanlon's razor, but it's getting harder and harder to tell genuine conversations from stage-managed ones online, unfortunately. It's the logical extreme of pg's article 'The Submarine'[0].
Here is one discussion from a so-called whistleblower I was involved in. I will let you decide on the ethics[1].
I'm in the ACH space and I personally know a merchant who planned on using them for account verification for point of sale ACH payments. This merchant also planned on grabbing transaction history while they were in there for I don't know what. Analytics maybe? I have no idea if they ever went through with their plan.
This was the merchant, and not Plaid. While Plaid gives such merchants a lot of power, I don't think the ethics issue lies with Plaid (though you could make a good argument that they should grant limited access, and full API access only on a more restricted whitelist basis)
This may be true - but you do still normalize users to the practice of entering their banking login credentials into a web form which is sent to a third party (i.e. yourselves).
In addition I believe the developer gains access to the users' bank transaction history - not just for the duration of their login session, but long-term, which is likely something that users aren't fully aware of in most cases.
Am I mistaken about those?
That is not 'selling' in the historically-used sense of the word, but we are now in a world where 'personal cost' means something different - especially when it comes to services which harvest personal data.
I have my own issues with Plaid, but I think you’re reaching a bit here. Everything Plaid does is opt in by the end user. They’re not selling data unbeknownst to the user (assuming co-founder above is being genuine), the user is giving another service permission to use their data.
As for bank logins...that’s been around since long before Plaid. But I agree there must be a better way. Though I don’t have any great practical ideas.
It's possible I'm overreaching, yep, but I think the past decade has shown - is showing - that simply 'assuming the best' of what will happen with rapid adoption of new technology isn't the most effective strategy. Daemons will come home to roost over time.
Even if users are technically opting in, and even if everything is documented in the privacy policy, a potential end-game here is that startup companies have access to all bank transactions for the people who need to use Plaid - likely people on the ground in the sharing economy who rely on it for payments - and the more fortunate/wealthier folks continue to have financial privacy by virtue of not needing to use it.
Do users have any idea exactly what they're giving up here though? Do they have fine-grained permissions to allow read-only vs write access, and to choose between transaction and account level data? And is there anything that prevents those second-party developers from then turning around and selling data to third parties (besides their own TOS with Plaid)?
Obviously this is a hugely sensitive service, I’m not denying that. But there’s a way to do it right and it seems that Plaid is attempting to do that. So I’m not ready to declare them evil before they actually do anything evil.
Many (most?) banking websites allow transferring money through the UI. A screen scraper technically has the same access.
Unfortunately the current approach of the major aggregation players is the only way to motivate the banks to give customers access to their own data through more reliable means.
It's a big question that I don't have the answer to. I'd prefer we trade off on some innovation on features in exchange for innovating the way we segment and communicate our data. But the market is speaking and it has a different opinion...
Haven't we on this same website celebrated various Gmail clients and services? Same kinds of risk there (email being different than transactions, but in many cases, that may be worse)
The product is obviously amazing, and I know for a fact that it's creating credit opportunities for consumers with credit history that may not accurately reflect their current financial status, but there is an insidious aspect to the product: the 6 months of future access to transactions and banking information. Most consumers don't realize they're giving this up when they use your product and I believe they would be much less likely to use it if they were aware.
> the 6 months of future access to transactions and banking information. Most consumers don't realize they're giving this up when they use your product and I believe they would be much less likely to use it if they were aware.
Can I ask what makes you believe that? Why would someone be A-OK with sharing the previous six months of account transactions but balk at sharing the next six months of account transactions?
Because they have a mental model of what is inside the previous 6 months and can make a judgement regarding whether or not they are comfortable revealing that information, whereas the future 6 months could include purchases that they may not want to reveal for various reasons.
I also think many consumers would simply be creeped out by the idea that these companies can continue to maintain access to their bank statement for 6 months into the future, especially in cases where the consumer has a dispute or negative experience with the company. There are also some underwriting arrangements where companies could leverage future Plaid data to make decisions about how to treat a customer (e.g. monitoring bank balances so that rebilling a delinquent customer can be automatically rescheduled after a deposit)
[1] - https://plaid.com/pricing/