Enforcing stupid & unreasonable ToS in court is a slippery slope that can be used against users.
You want to use an alternative client to export your data because the official client doesn't allow it? ToS violation and the developer of the alternative client gets sued.
Want to screen-scrape some website to automate some tedious manual behaviour? ToS violation and you get sued.
The ability to delegate some manual process (logging into online banking and getting the data) to a third-party (like Plaid) should be a right that we should defend.
At least with credential sharing & screen-scraping nobody can lock you out. Does it suck? Yeah. But I'd rather take a solution that sucks than no solution at all.
In the UK banks (in an attempt to encourage online banking) have a fraud guarantee related to losses from unauthorised access to online banking systems as long as you haven't given your credentials to a 3rd party
Screen scraping, like plaid, obviously breaks that concept.
In that case it seems reasonable for the banks to have a ToS that says "no giving your credentials to third parties".
If there's no such guarantee and the user is on their own from a fraud loss perspective then I don't see a reason for enforcing that kind of ToS.
All that said, the idea of a transactional banking system being online with purely static credentials in 2020 is scary one. Decent 2FA should be used for any system that has a financial impact.
Will be interesting to see where this goes.
I've also seen online mortgage applications ask for banking and retirement account passwords for the purpose of automated form-filling. It seems very shortsighted to give away your password to save 5 minutes filling out a form.
The nightmare scenario is that you give your bank account password to one of these screen scraping services, someone manages to hack them and empties your account, and you can't get the money back because giving away your password violates the terms of service for your online banking.
Also worth noting that the largest of US banks do offer APIs, but a large swath of the rest do not, either due to proprietary systems, choosing not to use their processor-offered solutions, or simply avoiding risk.
So, Plaid will have to scrape for another few years, I suspect, until the banks catch up in the US to what we are seeing in UK and other places.
...and yes, we support 2FA. ;)
Edit: the website itself also returns a 403.
Plaid works great and we’ve ran into next to no issues with customers linking Plaid
It depends on your customers, too.
If you're targeting consumers, Plaid's integration works far better than if you're targeting business bank accounts.
If your company is ONLY supporting Plaid then your issue is that your smarter customers are leaving.
Any organization that asks for your personal password is nefariously normalizing this behavior and building complacency in consumers to trust anyone with their private information.
Worth noting I don’t work for a financial services company so the use case is likely very different than the services you’re discussing.
Apologies if I came off strong, it appears I may be a one-off consumer as opposed to mainstream.
Imagine PCI-DSS compliance but without the exception that you don't have to be PCI-compliant yourself if you don't touch card data and pass it directly to a PCI-compliant payment processor.
It would be an unusual TPP where the data never left the customer's device. Usually there'll be a web service/web app provided by the TPP and the communications will be between the customer and the TPP and then the TPP and the bank (a.k.a ASPSP)
Whilst it's not perfect, it's a hell of a lot better, from a security perspective, than 3rd parties getting full banking creds for customers.
Why? The scenario you mention (providing an unified view of a person's multiple accounts & credit cards) can perfectly be done on the device itself and negates plenty of concerns regarding security, the need for a backend, etc. I personally made an app to display my balance & transactions on my Apple Watch. It's purely local and doesn't even have a backend. Yet, I can't actually launch it "by the rules" because I need to become an AISP even though I never come in contact with actual banking data.
> 3rd parties getting full banking creds for customers.
This is clearly a stop-gap solution until something better comes around, and frankly it isn't the worst solution if you trust the third-party. At least it becomes the user's choice whether to share credentials instead of the bank or some other entity deciding who can and can't have access based on potentially stupid or anti-competitive reasons.
Plaid definitely works with BoA + 2FA, at least as of about a month ago when I had to use it.
Certainly false, at least for Bank Of America. Just yesterday I connected BofA to privacy.com using Plaid and it asked me to enter the SMS 2fa code.
The solution is regulation to force Banks to provide customer data over an API to an authorized third party (preferably with 2FA on that too, and other security mechanisms, like mutual auth, auditing the security and probity of the subscriber etc).
Scraping is such a 1990s solution, and Plaid's Uber-like disregard for rules made it a non-starter for anyone sensible.
Ironically, while it might get systematic integration with VISA, the privacy implications are far worse.
Very few banks have publicly-accessible APIs, and when they do, they likely won't return consistent data. There simply isn't a standard in the U.S. There are literally thousands of banking systems in this country. As someone who helps run a fintech app, I can assure you there are significant numbers of people who are simply members of their local credit union with very limited technology.
I assumed this was because they were switching over to their API, and that was the only way to pull data now. I could be wrong, it just seems weird that 3 different sites made me reauthenticate within a month or so.
They may have fixed it by now, I haven't tried more recently.
My wallet was stolen and before I realized it was gone and could cancel my CCs some dude made like six obviously fraudulent purchases. No Chip and Pin - zero verification. US banking needs to be legislatively hard-reset.
It also means you are holding your cards on your time all the time you use your phone on the street, which is prime time for somebody to come and snag it out of your hand
not a single point at all, it's just a couple cards in the slot.
A few of my friends were talking about Plaid the other day, and I told them I like the company/product, but "many people on HN hate it." They were perplexed and when I explained it was because you guys were nervous about entering your bank password into a third-party (yet reputable) company's interface (that's encrypted), they wrote it off as "being paranoid." Can't say I disagree...
It is probably the one thing you can do today that will at some point cause you lose money from your bank account.
It is not even paranoid. It's a bad idea to leave your bank access codes with someone else.
The less people understand how things work the more likely they are to trust it. This just opens up a new avenue for exploitation.
I previously worked at a “reputable” company whose main product stores usernames and passwords for third-party sites. It’s a conceptually-similar product to what Plaid offers, but in a different problem space. These passwords were encrypted.
* any developer or ops member could trivially have dumped the entire plaintext dataset
* there were multiple bugs discovered that would have allowed dummy accounts to quickly, trivially, and remotely dump the entire plaintext dataset
* if these bugs had been exploited, we would have had no way to know past a few weeks due to log rotation policies
* administrator passwords to systems were often just single English words
If anyone with ill intent had looked at this product for more than an hour, they likely would have discovered some of the bugs mentioned; one was pretty much just a
Combine this with the consequences of a breach: if your credentials are stolen from Plaid and used to steal money from you, your bank, brokerage, or other financial institution can point to your use of this product as cause to deny your claim to have your funds returned. Essentially, they can point to Plaid as a violation of their terms of service, and hold you on the hook for any losses as you voluntarily gave your credentials to a third party.
Hell, even if Plaid isn’t breached and your account is compromised through other means, they can use the logs from Plaid regularly logging into your account to make the same case.
My problem with these services is not that I don't trust them - I know how bad banking IT is, they can't be much worse. What bothers me, is that they teach users that it's okay to enter your credentials into third party sites, a recipe for disaster.
See PSD2 in the EU, for example.
There was a github issue opened, and after several followed up complaints they blocked further commenting and the removed then ticket.
Subject of the ticket [plaid/link] privacy/security concerns (#68)
I refuse to do business with any business that uses plaid and has no sane alternative to get bank account numbers (deposit two small amounts, three days later I tell you what they are)
First time i saw it, i assumed the website had been hacked. I was actually more horrified when I found out that this was working as intended and some website wanted my bank password!
If in doubt, you should check your bank's terms of service for online banking.
I'm a bit horrified this is still a thing, too. Doing this just confirms you have the correct account and routing number, so you can deposit and withdrawal. It won't allow you to see transactions--will it?
FWIW, a minority of banks have "linked apps" that allow you to revoke access from the bank's website (some are clear they're restricting it to read-only access). But I'm not sure how consistent or widespread this kind of thing is. I doubt if you're offering a service like Plaid you could rely on only supporting these institutions.
This was my exact same impression. Even after some Googling and asking friends where I learned this was a thing, I was still very wary that it was legit.
We do use the Plaid Link widget (as do most other fintechs in the US). We don't touch credentials or handle the bank login page.
Commentary about the state of the US banking system aside, Plaid is pretty much the industry standard way to do instant bank account verifications today. However, we also have options to link with debit card and account / routing number if you're not comfortable with the Plaid route (totally understandable).
Also, it's one thing for me to let a third party withdraw money from my checking account (if I provide my account number), but that doesn't mean I want to give them the ability to do things like change my password, disable 2FA, read my transaction history, transfer money out of my other accounts, cancel my cards, and so on — which they can if they have my password. That's just insane.
Information we collect from your financial accounts. The information we receive from the financial product and service providers that maintain your financial accounts varies depending on the specific Plaid services developers use to power their applications, as well as the information made available by those providers. But, in general, we collect the following types of identifiers, commercial information, and other personal information from your financial product and service providers:
Account information, including financial institution name, account name, account type, account ownership, branch number, IBAN, BIC, and account and routing number;
Information about an account balance, including current and available balance;
Information about credit accounts, including due dates, balances owed, payment amounts and dates, transaction history, credit limit, repayment status, and interest rate;
Information about loan accounts, including due dates, repayment status, balances, payment amounts and dates, interest rate, guarantor, loan type, payment plan, and terms;
Information about investment accounts, including transaction information, type of asset, identifying details about the asset, quantity, price, fees, and cost basis;
Identifiers and information about the account owner(s), including name, email address, phone number, date of birth, and address information;
Information about account transactions, including amount, date, payee, type, quantity, price, location, involved securities, and a description of the transaction; and
Professional information, including information about your employer, in limited cases where you’ve connected your payroll accounts.
The data collected from your financial accounts includes information from all your accounts (e.g., checking, savings, and credit card) accessible through a single set of account credentials.
Does Plaid bank the underbanked? I am not sure what their appeal is.
Do they more than replace Yodlee nowadays where it's a SDK for people to scrap bank accounts? Like say if your an accounting app and need to import bank statements.
Here is the list Fintech companies which use Plaid as published in the Visa Acquisition presentation. Many of these (like non-lenders) have no legitimate use for all that info.
I'm cautiously optimistic for a good outcome for the Plaid folks here: last round was two years ago for $250M. Could they have been suffering $10M/month losses and are running out of money? Could be.
No offense to Visa, but I don't think of them as the most innovative organization or one that is a sign of a "good outcome" for a company getting acquired. I can't think of a good exit to Visa, but I am open to being wrong on that one.
Disclosures: worked at Stripe; dealt altogether more than I would have liked with Visa. Have no knowledge of Plaid's particulars.
Edit: Visa and Mastercard were strategic investors in the C round. Curious what the competitive dynamics were that led to Visa grabbing the acquisition instead of MC. https://techcrunch.com/2019/09/16/plaid-announces-strategic-...
Visa is a $434B company. I guess "innovative" is subjective but their valuation trajectory has looked like a high growth tech co over the past 5 years.
But then the other part of me says that I clearly have no clue what I'm talking about, there's basically no chance they could stay relevant this long without being on top of it at some meaningful level. And potential quasi monopoly status doesn't quite capture it. So much of finance has been disrupted by technology, you figure if there's finance companies who wasn't disrupted, it must be because they are the technology.
It seems their main software division is in India and in the US it's mostly sales, servers, mobile, and POS support, suggesting that the company is focused on the bottom line and probably could be disrupted. For example Bitcoin is getting more and more prevalent. But it's going to take a while before supporting a new payment network is as easy as an over-the-air software update. And the recent trend in "disruption" is acquihires as seen here.
Apple couldn't even do it with their in-house credit card.
Governments are eventually going to see "a foreign company owning our major payment networks" as a national security and sovereignity risk, especially if we end up in a multi-major-power world. They'll also eventually covet the data and the ability to disable "inconvenient" business. You might see it take the form of a government-mandated account (would Visa/Mastercard have taken off at the same angle if universal, instant direct debits were available in the US?), or just providing a glidepath for local commercial alternatives. Look at what Russia is doing with the Mir card.
It's not Stripe or Airbnb level growth, however.
my point is that it's clearly not a dying dinosaur of a company. if anything, Visa has too much power in our financial system as more transactions are non-cash and non-ACH based.
FB and GOOG own a part of the internet traffic. Almost all of the worlds internet payments goes through VisaNet and is the fundamental processor of these internet payments and have been profitable for years.
Quite possibly got overbid in that case, which would be a good exit. MC is no slouch in this space.
Company A, 0.05% or 9000+ options vested, IPO, post-lockout sale at net ~$300k, was an early engineering employee
Company B, <0.001% or 10000+ shares vested, very late engineering employee, not liquid yet, hypothetical value in low-mid 6 figures
Make sure you do proper tax planning, taxes take an enormous bite, even with long term capital gains.
If your company IPOs they will withhold shares for you. Only thing to watch for is depending on your income they might underwithold. There isn’t much more to it than that.
Even if you have RSUs (where taxes are customarily withheld), the company will withhold at the minimum statutory rates, which may not match up with your personal tax bracket.
If a company hasn't IPO'ed, an 83(b) election may also make sense.
After whatever lockup you have some fraction of shares remaining. When you sell those and if the price is greater than the IPO price then you have capital gains on whatever shares you still hold.
You still owe tax from the IPO. My point is the company will withhold shares from you, but you might need to pay more if they underwitheld for the IPO. This has nothing to do with your capital gains from selling your remaining shares.
Most states tax capital gains at the same rate as ordinary income.
And then 10 states don't tax income at all.
(Everyone, including the IRS, treats short term gains as regular income.)
imo it’s hard to shake how awkward it is when everyone around you is rich and you’re being offered a regular salary that is now dictated by Visa HR
I was hired by Sun. Just before my start date, Oracle announced they would be buying Sun. I was worried, but it turns out acquisitions are pretty slow processes. There was months of waiting for government approvals, then months more before the culture really started feeling like "Oracle" instead of "Sun."
In short, there's a decent chance that anyone applying now could be on payroll for months or years before Visa actually meaningfully changes anything about Plaid's workflow.
Plaid is a complete joke -- "give us your bank passwords and we'll validate your account". Banks are an even worse joke -- "20,000 logins today from one IP address, nope that's not a scam".
Plaid customers are the worst. Like Transferwise, you cannot setup a business account with them without giving Plaid your business banking passwords. What company treasurer would allow that?
Now that Visa is holding the bag this fixes two problems:
1. For customers, there is less risk that Visa will steal all your money than some "fintech" startup
2. For Plaid customers, they may realize Visa is buying this for the data and they may think of Visa as a competitor and not want to support them.
Because "just give us your sudo password to install software" and "just give us your bank password" to send money is a thing... the obvious dumber people in the future will have to do "just sign this power of attorney to create an account with us."
Banks (at least the big ones) often block aggregator traffic. This is resolved after speaking with them. The usual resolution is to whitelist specific IPs for massive traffic.
Lobby your lawmakers. Banks have no incentive to provide open APIs.
For example, in the UK banks did nothing until they were forced to - the market regulator now requires the nine largest banks to provide an open API (https://www.openbanking.org.uk).
The law doesn't restrict the banks giving access to non-AISPs and, like you say, many of the modern banks do have personal API access, it just sets a minimum bar you have to reach before they're forced to let you in. It seems like a pragmatic middle ground.
What is bad, in my eyes, is the law currently only applies to the CMA9.
In fact I randomly came across me bemoaning this fact 5 years ago lol . Also at one point I wrote my own small wrapper to access parts of their internal API  but I haven't touched that in years so I seriously doubt it still works at all.
I suspected it might be different elsewhere, but I had no idea that the situation was so dire that you had to actively go looking for a bank with an API.
 https://de.wikipedia.org/wiki/Financial_Transaction_Services (German)
 https://de.wikipedia.org/wiki/Homebanking_Computer_Interface (German)
It merely provides a standardized interface to access account data or initiate transactions, but it still uses a plain username/password login to authenticate.
Even that it does not do particularly well – the protocol is horrendously outdated and does not support "recent" inventions like credit cards on many popular banks, which means that banking aggregators have to fall back to screenscraping anyway.
However, this will hopefully change soon with PSD2/SCA, which does mandate such secure account access (based on OAuth2, if I understand it correctly).
I'm not currently aware of a US bank equivalent
In practice, banks never tell you the address of their OFX server and you have to rely on community compiled database (eg ofxhome); many banks' implementations are iffy; some banks even charge you for enabling OFX support on your account. In the end it's just so much easier to outsource this to Plaid, which is why they are a billion dollar business.
"Bank syncing is a critical feature that is coming soon!"
You can manually import QFX/other standard formats though, but not all banks have exports of this, and it's very manual.
I'm thinking of something where you download your statement (usually available in PDF form) and then drag it to a web interface where it then gets OCR'd and processed.
A bit more manual, but the upside is you're not leaking your creds and you should also have access to more data (banks have to provide statements and they usual provide them going back many years).
It uses Plaid out-of-the-box, but it has a pluggable provider model for other data sources: https://github.com/kevinschaich/mintable/blob/master/docs/PR...
In the absence of APIs from most banks, it would be nice if there was a client side personal finance web app that allowed uploading .csv or pdf statements, and scraped those for you locally, perhaps with the option of using your own Google Drive or Dropbox as a persistent storage backend beyond browser localstorage.
there are a few issues though:
1. some banks only send notifications for transactions that are over a certain amount (eg BofA is >$25)
2. the merchant name is arbitrarily cut-off (based on char length), so you don't really get reliable merchant info
Dark patterns galore. Absolutely no indication when you go through a Plaid flow that you're likely giving away much more than just the bare minimum account numbers to push money in/out of your bank account. Often, you're also giving away transaction data, identity, real-time balance, etc. There's no way to know prior to linking your account.
I had high hopes that would have made things more transparent given the new CCPA laws that went into effect on the 1st but have not seen anything change.
Edit: I think the 4D chess move here by Visa is the amount of data Plaid has. Bank transaction data from all types of transactions, not just Visa ones, is massively valuable.
If people were concerned about Google acquiring Fitbit data I would be incredibly concerned about Visa basically buying all financial transaction data...the FTC should really investigate the acquisition.
Banks aren't exactly happy that their API is basically scraping their website, for very valid reasons, including the customer's own security.
If enough of the big banks decided they had enough of Plaid then it would present a massive existential threat to the business. If anything, I think that threat is a reason why they wanted an exit sooner rather than later.
Have to imagine my statements hold more value than their scraping algo
Buying a company to get its most valuable assets is less complicated than that.
I think it's really hard to argue Visa/MC is not a duopoly. Unfortunately anti-trust enforcement in the US has been more political than anything.
Going by that reasoning a monopoly would be even better, as the card would be accepted everywhere.
The consumer pays by lack of innovation and high scheme fees.
IMO not super relevant to topic of competition, there’s 4 networks, the fact that two of them are structured differently doesn’t really have impacts on sellers & customers (other than that the two open networks are significant larger, visa & MasterCard)
Discover also does this, although there are less available. Here is an example through Comenity in partnership with True Value: https://d.comenity.net/truevaluediscover/pub/Home.xhtml They used to do something similar for a card with Wal-Mart.
Waaaaaay past any reasonable threshold for market power scrutiny.
But antitrust is currently dormant in the USA.
But here's my bigger bet. Using this, VISA will launch a competitor to FICO.
There's still lots of problems to solve in the connectivity space that Plaid sits in, and the pursuit of some kind of unified open personal finance data standard isn't really on the table for those steering the big initiatives (e.g. FDX). This is mostly due to the variety of the data and number of players (tens of thousands of institutions). For more on that, this interview with Jeff Leathers, founder of Quovo, a similar company that was acquired by Plaid in 2019 is not a bad listen:
* $4.9B cash consideration
* $400m retention equity as VISA RSUs
Yup, and I'd clarify that the new options aren't 1:1, but calculated based on some price-per-share of the acquired company.
Overall, I'm no fan to these scrapers. Apart from the army of engineers (internal cost) required to maintain them, on the outside they sell a promise that is putting user's privacy at risk.
This is especially prevalent in the bookkeeping space.
Many "me too apps" stitch their services using Plaid to provide bookkeepers with bank feeds & statements for their clients.
Other's use Xero's HubDoc (which Xero paid 70m for few years back) which basically does the same thing; scraping financial statements from many online services using a combination of tools and humans. It's a goldmine for hackers; plain text logins are stored in their database to practically many online accounts owned by business owners.
Amazing to what degree people will go to to save few hours of labor each month.
You gotta figure that's near the top of the S-Curve, right? Very close to 100% of the TAM in the US, and I would imagine that global expansion is costly given banking regulations in different regions. Visa already has the reputation / relationships to push forward there.
Congrats to the team!
I've seen an offer at a ~50 person company for 1-2 basis points.
>7 points by Rainymood on June 21, 2016 [-]
>I'm going to be really rude here (forgive me) but I feel like every time a security question comes up you dodge the question really hard.
>I want to know one thing: If I log into your service with my bank credentials. Do you store these as plaintext files (or "encrypted" files of which you have the encryption key)? Yes/No.
>Furthermore, congratulations! I've been trying to start something up like this in Europe but I feel like there are way more restrictions in Europe on banking data and this kind of third-party aggregation. Sorry for being so rude.
Here is some previous news on Plaid on HN.
* 2016-06-20 Fintech Firm Plaid Raises $44M (wsj.com)
* 2018-12-11 Fintech startup Plaid raises $250M at a $2.65B valuation (techcrunch.com)
* 2020-01-14 Visa Buys Plaid (wsj.com)
Not unusual at all. Pretty typical for CVC in fact. Couple of factors:
1. CVC (Corporate Venture Capital) typically tries to invest in similar markets of companies that either are competitive or pseduo-competitive (think of it as a hedge). For example, this would be like PayPal investing in Venmo.
2. It's cheaper in the long run for a CVC to make 10 of these bets to find that one that doesn't kill their core business model (usually a cash cow). That's why you see Ford/GM putting money into self-driving car start-ups.
3. They were probably not at the level of scale ready for Visa to take them on at the time of the Series C. This was basically a down-payment for their eventual acquisition. It basically "you're too risky for us to buy, so here's some money that we can write off if you end up failing, but if you do fail, we don't have to deal with all of the crap that goes with a failing bus unit (layoffs, compliance, etc).
I'm curious to learn more about strategy here since Paul Graham says there probably aren't more Googles because companies are acquired too soon. Facebook is famous for the Yahoo! offer. Stripe would have been a great acquisition (if they would have accepted any).
1. A de-risking strategy. Investing early effectively discounts a future acquisition, but doesn’t go so far as to bet the farm on the businesses success. They would also gain very early and regular access to financials that would tell them if it’s worth the follow-up plunge or if it is on its way to bust.
2. The founders thought there was more room to grow independently, but wanted to keep Visa friendly and close to home. Best way to do that is to change an acquisition conversation into a partnership/investment conversation.
Or they realized Plaid was becoming too valuable to its competitors. Or they didn't have the cash available at the time. Or Plaid didn't want to sell at the time.
Google Ventures participated in funding a number of companies that Google later acquired.
Had Plaid only been mildly successful, Visa likely would have just continued to let it run and get back its investment. But, now they have a decent amount of transaction data among other things, possibly making it more advantageous to own it outright than hope you can be one of many partners getting access to that data.
Never been a fan of scrapers. Very unreliable and a big security hole especially when MFA is used.
I wonder if the tightening data privacy regulations (CCPA et al) forced them to sell or whether it was just a good sale opportunity.
I learned about it by working in gambling. I cannot believe that people are OK with just giving their online banking details to a company. It's insane! but people are willing to use it because there is almost no other way of getting the product they want.
Take the legislative risk out of handling those types of transactions, and shit like this will disappear.
Edit: I guess I’ll look up their homepage, and try to scroll through the marketing speak to figure it out. Seems like it would be nice if someone in the know could just tell us.
maybe its a good thing i didn't get hired for their SLC office, because i would have quit over this.
i want to be a part of building something that can survive as an independent entity. selling is an admission that this is either not a goal or not possible given the current position of the company. both of these are against my ethics. why should i stay at a company that has openly admitted that they are incapable or unwilling to pursue independence?
> but there's no reason to sell if you have a solid business plan and a realistic vision for future profitability.
They had 5.3 billion reasons to sell. With an acquisition offer that high, it's not about the company's ability to survive independently. It's about doing what's in the best financial interests of the company and employees.
> i want to be a part of building something that can survive as an independent entity. selling is an admission that this is either not a goal or not possible given the current position of the company. both of these are against my ethics. why should i stay at a company that has openly admitted that they are incapable or unwilling to pursue independence?
Your distinction is a bit arbitrary. Plaid wasn't a fully independent company after they took significant money. Take a look at their board of directors. Only 2 out of 5 board members were Plaid executives. They had already "sold" part of the company when you applied.
They don't do ACH transfers.
"""To get started with ACH payments, you need a system that can connect you (the originator of the ACH transaction) with an Originating Depository Financial Institution (ODFI). Additionally, that system should be able to give updates on the status of the payment and give the developer an interface to authenticate, verify, and charge the user on demand.
That’s where Stripe comes in. In January, the payments infrastructure giant debuted support for ACH payments through its platform alongside a partnership with us here at Plaid. Now, Stripe users can authenticate their customers through Plaid (or, if they must, micro-deposits) and then charge them through ACH."""
Am I misunderstanding something?
Okay so maybe they weren't doing the transfers, but they were certainly facilitating them and adding to the adoption of more ACH based payments (which means less credit-card payments). Same conflict of interest applies. What does Visa care about bank account verifications?