5/15/2026 at 5:04:29 PM
I’ve been asked to sign up to plaid by clients three times. Each time I’ve said no. I’m not giving a 3rd party access to my bank account. I don’t understand how people enable this total loss of friction for direct account egress. There needs to be friction.by binarymax
5/15/2026 at 5:22:47 PM
Hijacking this comment to complain about fintech apps / saas providers requiring Plaid - please stop.For example, Coinbase requires logging in with Plaid to... setup auto-pay for their credit card statements. No way to just provide account/routing numbers the good ole way.
There's lots of issues with Plaid but one big one is that banks (e.g big ones like BofA) can lock your account due to suspicious login with Plaid.
by webo
5/15/2026 at 6:28:05 PM
Airbnb requested Plaid access to my entire Chase account and all transactional data to "verify my credit card" a few years ago, and wouldn't budge until I tried Apple Pay, where they apparently weren't able to figure out the underlying issuer and accordingly left me alone.Needless to say that it was my last stay with Airbnb.
by lxgr
5/17/2026 at 12:11:04 PM
What will you do once all of the accommodation providers start doing this AND they figure out how to see through Apple Pay?by egorfine
5/15/2026 at 5:25:43 PM
They're a YC company so every other YC company is going to use them, that's how YC companies operate.by measurablefunc
5/15/2026 at 5:40:03 PM
This isn't at all how YC companies operate (source: I did YC), but also... Plaid is not YC.by necubi
5/15/2026 at 6:32:24 PM
Seems kinda weird then that they're listed in workatastartup.com: https://www.workatastartup.com/jobs/15283by measurablefunc
5/16/2026 at 9:09:21 AM
Plaid is not a YC company. You can just google it to confirm.by andsoitis
5/16/2026 at 4:41:35 PM
Yet they are listed on the site that claims to only have YC companies. Very odd.by measurablefunc
5/16/2026 at 4:49:16 PM
I don’t know why they are on there, but YC startups list their batch and year in parentheses on job posts, e.g. (W25). Example: https://www.workatastartup.com/jobs/88812The Plaid listing you linked doesn’t have a batch by their name.
by 1123581321
5/17/2026 at 11:03:42 PM
Funnily enough, Flock has stopped doing that.by FireBeyond
5/16/2026 at 6:20:48 PM
Still kinda weird that a non-YC company gets to have job listings on a site for only YC companies.by measurablefunc
5/16/2026 at 6:30:17 PM
I don't know; I'm not involved. Just noticed the UI affordance.by 1123581321
5/17/2026 at 8:47:41 AM
Clearly you are not involved lol. The suggestion seems to be that YC is involved in some way; perhaps untraditional.by Rapzid
5/15/2026 at 5:28:50 PM
Plaid has an option to let the client/provider accept plain account + routing numbers, a lot of apps for whatever purpose don't use it.by webo
5/15/2026 at 5:40:15 PM
Plaid is not a YC companyby alexr243
5/15/2026 at 6:27:07 PM
They have job listings in workatastartup.com but maybe any startup can now be listed even if they're not a YC company: https://www.workatastartup.com/jobs/15283by measurablefunc
5/15/2026 at 5:09:04 PM
Refinancing a loan I passed on the lowest possible rate I could get, for a slightly higher one, specifically because they used Plaid.I'm not the most privacy-focused individual, not nearly as paranoid as I could be, but Plaid's model is an OBVIOUS step too far.
by chao-
5/15/2026 at 5:26:46 PM
Depending on the rate difference, I'd be tempted to setup a 'burner' checking account at a separate financial institution and just auto-transfer the loan amount from my primary bank to the burner every month.by njovin
5/15/2026 at 5:32:38 PM
That generally wouldn’t pass underwriting. They want the account the money is coming from to be the account with history and money in it already.by lazide
5/15/2026 at 6:15:40 PM
My bank's underwriter/loan officer actually said to get the best rate with them to specifically setup an account with them (They aren't my day to day bank) and just use it for my house payment. For the past decade the only transactions it has ever seen has been the direct deposit and the auto-withdraw for the mortgage.by saratogacx
5/15/2026 at 5:50:49 PM
Really? Both times I got a loan they wanted bank statements from all of my main accounts and verifiable income history, but they didn’t care that I was paying from an account that I had just opened for the specific purpose of paying the loan.by el_benhameen
5/15/2026 at 6:17:02 PM
I'm not OP, but I assumed from their post that they meant the loan provider wanted Plaid access in order to perform underwriting - as in give us access to your account(s) so we can pull your banking history via an automated manner instead of sending PDFs.Could be wrong though, as I never considered it'd be used for payments at all.
by phil21
5/15/2026 at 6:09:50 PM
same. maybe it just depends on the bank, but i can't imagine why that would matter at all. they have the whole picture of your financial history, generally. what does it matter whether that one bank account has only enough in it to pay off the loan every month.by volkk
5/17/2026 at 5:29:00 PM
BMO offered the ability to link plaid and some other company to automate it vs me sending updated statements manually. I chose manual. I hate that this is the only option for convenience.by shostack
5/15/2026 at 5:31:35 PM
They do because their banks are largely not offering anything more fine grained, because they don’t have to, and in fact doing so would cannibalize their debit card business.Requesting full account access for anything other than maybe budgeting software should just not be legal.
by lxgr
5/15/2026 at 5:19:12 PM
Have you ever entered your routing+account number into HR software for direct deposit? Doesn't that qualify as handing a third party essentially the same access as Plaid gets? I think bank accounts are generally more accessible in the modern era, it's just a risk that you take.Of course, you're not obligated to use Plaid but I do find the concerns around this quite strange since you're likely exposing account information already.
by hypeatei
5/15/2026 at 5:23:32 PM
Plaid wants you to enter your bank username-password into their form. If it was just routing+account it would be truly no different than other bank connection methods.by whycombinetor
5/16/2026 at 4:25:55 PM
That's not how it worked last time I used it with Chase Bank. It used something like Oauth with my bank where I logged in on my bank website and asked what accounts I wanted to share with Plaid.by hahn-kev
5/15/2026 at 5:29:29 PM
Plaid works a lot like PSD2-based services in the EU then, which also typically consist of a form hosted by the service using Times New Roman and the original padlock.gif from Netscape asking for your IBAN and online banking password and then a TAN/2FA number. Obviously there are no technical controls at that point to what the service can do in your account. I tend to avoid anything PSD2 for much the same reasons as Plaid, it's extremely sketchy. Somehow we can have scoped access using OAuth for random webservices but for a credit check it's "please just give us your online banking login despite everyone telling you since 1995 that you're not supposed to hand that to anyone and always double check the URL in the address bar to be yourbank.com... we assure you nl-gwlogin.xs2a.openbankingservices.co.net is an entirely legitimate place to enter your PIN"by formerly_proven
5/15/2026 at 6:30:43 PM
At this point, it's often OAuth, but in my view, the exact means of access is a red herring: The only thing that changes between screen scraping and OAuth is that Plaid doesn't get my banking password, which is literally the least of my concern compared to persistent access to my account transactional data.by lxgr
5/15/2026 at 5:35:37 PM
The same info is also on checks, and there's an established story around fraud there -- if I didn't authorize an ACH withdrawal then my bank is legally required to make me whole. If I hand over my username+password to a third party, I'm on my own.Also, the routing+account numbers just let them deposit/withdraw money, not snoop on all my transactions and harvest my data...
by gavinsyancey
5/15/2026 at 6:30:14 PM
This is a common belief, but the CFPB has stated your bank is still legally required to make you whole in the event of fraud even if you handed over your username and password to a third party, and that any bank TOS stating otherwise are not valid. This is covered on the CFPB Electronic Fund Transfers FAQ, under the Error Resolution: Unauthorized EFTs, Question 8: https://www.consumerfinance.gov/compliance/compliance-resour...by phoenixy1
5/15/2026 at 6:32:58 PM
In Germany, there was a similar antitrust-based ruling, but it even went further: They disallowed banks to block screen scraping services, as they considered the existence of screen-scraping-based confirmed instant bank transfers a valuable competitor to the (bank-led) card payment schemes.In retrospect, they were maybe right on the competitive part, but the data privacy impact was disastrous.
by lxgr
5/15/2026 at 5:31:54 PM
Whenever I have seen the Plaid integration it will also ask permission to your transactions. HR software won't get those when I provide it my account & routing numbers.by buzer
5/15/2026 at 5:25:03 PM
With plaid they get access to all of your account numbers.HR just sees a single savings account that I strictly use for direct deposit. They don’t see my actual savings account or my other purpose-specific checking accounts.
by redserk
5/15/2026 at 5:32:34 PM
Sure, but GP mentioned direct account egress which is why I brought up the typical method for doing that. I figured banks are already selling / reporting the other information (account types, amounts, transactions, etc.)As an aside, I think each permission has to be granted explicitly in Plaid so it's not just getting "root" access to do simple transactions (unless you grant it)
by hypeatei
5/15/2026 at 5:27:25 PM
routing+account numbers are not that sensitive. that's been API for how we transact money since pre-historic times. plaid gets access to your online account with access personal data, security details, documents, transactions, statements, write-access etc.by webo
5/15/2026 at 5:34:06 PM
It’s roughly the difference between giving somebody your phone number and letting them eavesdrop on every single call.by lxgr
5/15/2026 at 5:33:30 PM
Generally no. Plaid access generally includes whatever name you put on the account, as well as transaction history.by lazide
5/15/2026 at 5:23:07 PM
plaid asks for your bank username and password not just your routing + accountby liveoneggs
5/15/2026 at 5:18:54 PM
One thousand times this. I am not giving away the keys to my bank accounts.by josephscott
5/15/2026 at 5:33:20 PM
It’s worse than keys, it’s a persistent read-only view of all account data.At least there is a process for unauthorized ACH debits. For this blatant breach of privacy, there is nothing.
by lxgr
5/15/2026 at 7:16:43 PM
Plaid requires your bank username and password, so they have full read-write access to your account. They can do anything you can do when logged in to the bank's website, and so can anyone else who gains access to Plaid's database.by robhlt
5/15/2026 at 7:27:43 PM
> They can do anything you can do when logged in to the bank's websiteWhich is hopefully nothing beyond looking at transaction data without 2FA.
by lxgr
5/15/2026 at 7:52:39 PM
Plaid's login flow also requires a 2FA code if your bank requires it. The same 2FA code that banks say to never provide to anyone else.They're literally proxying the bank's login page just like a phishing site would, and I assume they're also selecting the "trust this computer" option so their access is more persistent. My bank does require re-2FA for larger transfers, but there's still a lot of damage I can do on a "trusted" computer without triggering another 2FA prompt.
by robhlt
5/15/2026 at 7:59:58 PM
To be honest, that's on the bank then.Doing re-2FA for every outbound transfer, and mentioning the consequences of entering the 2FA code out of band (e.g. "enter code 123456 to confirm transfer of x$ to y" or "press OK to confirm transfer..." in a mobile app) should be the bare minimum these days.
by lxgr
5/17/2026 at 6:57:43 AM
Lmao that must been an American thing. Here it just uses the open banking APIs.by MagicMoonlight
5/17/2026 at 7:48:08 AM
While I understand the risk of sharing sensitive information (e.g. bank login) with a 3rd party. But the current situation is such that your bank currently monopolize your bank information to improve your loan offer, to give you better service at better rate based on their understanding of your bank transaction history.Currently, there is no aligned format for sharing your bank transaction history with other financial institution of your choice. Your current bank is the one who purposely makes it hard (only allowing you to share it through the same bank login) so that you are more locked-in in their eco system.
I used to work with Plaid as a provider, and you will notice certain banks who really do not like their customers using Plaid in sharing their bank transaction history with competitors will often have unscheduled maintenance that Plaid wouldn’t work so that you as a user would find friction using someone else and stay with only using products within their ecosystem.
I think the real question is less about why are we using Plaid to share our transaction information. If we are to have an open format to share our banking transaction history, what should be that format and what would be the lock and key for it?
by claw-el
5/17/2026 at 8:47:24 AM
Maybe the mechanism for sharing could be inspired by OpenBanking? In the UK and EU all the banks have to offer API access to accounts.Instant transfer (sub-second) for free is available to everyone. (Up to a certain limit)
by diroussel
5/15/2026 at 5:59:37 PM
Many banks just OAuth with Plaid now.by wilg
5/17/2026 at 1:24:25 AM
What a statement. What a statement. How many financial institutions do they support? How many different vendors supply the platform for those institutions? How many of those financal institutions (FI) don’t support oauth or other APIs? A lot! Then ask yourself: how do they talk get the data if no api? Web scraping. Then ask yourself how they build the scrapers for those? Where do those accounts come. Employees of the company who open up accounts at those FIs? What about all the other FIs? Where do you think those come from…? How do you think that process is secured? Think the process is secured enough to make you feel warm and cozy? When the scrapers are working, how do you think they get past the security measures? Do you think those financial institutions might think it’s odd that you’re logging in from multiple IPs and that one or more of those ips might be from a residential proxy network?The result is that I attempt, at all cost to not use anything that requires plaid or their competitors since I know how that sausage is made.
by _boffin_
5/15/2026 at 6:14:54 PM
But what comes after? Can users decline or at least downgrade the level of access requested by whoever wants to peek into their bank account? Do banks clearly indicate (and periodically remind the user about!) all parties currently having access to their account?It's usually still persistent full access, and given that, the question of whether the user's password also leaks in the process is almost besides the point.
by lxgr
5/15/2026 at 9:23:26 PM
I was repeatedly pressured to hand my bank account logins over to plaid when I bought a house. People always seemed surprised when I refused. Maybe they were just acting that way to pressure me into making their sale process slightly easier, but I got the impression most people just go along with it.Handing my finances over to a company like that is a hard no for me, I can't imagine ever doing business with someone who required it.
by rurp
5/15/2026 at 5:40:38 PM
easy - just keep a small amount (small %) in that account.by asah
5/15/2026 at 6:29:09 PM
If it doesn't look like a real account, you usually won't get whatever you're signing up for.by lxgr
5/16/2026 at 12:00:10 AM
If it happens for enough people, then plaid is proved to be not as efficient or as useful as advertised, and adoption slows or reverses.by anakaine