How Plaid Reconciles Pending and Posted Transactions (opens in new tab)

(blog.plaid.com)

127 pointsbjacokes7y ago26 comments

26 comments

16 comments · 3 top-level

lol7687y ago· 6 in thread

This mostly seems to be required because banks don't provide usable data properly. There should be a way to tie together authorisations and finalized transactions. Any API/interface that doesn't permit this is just broken.

Monzo's API includes a unique transaction ID as well as a timestamp to indicate when (if it has happened) the transaction 'settled'. The open banking APIs implemented by the CMA9 include a BookingDateTime and Status (Booked or Pending) and an immutable transaction ID. It's surely just common sense to do this.

Why is there no regulation to require banks expose a usable API in NA?

syn0byte7y ago

We don't have the whole story of their infrastructure and that a lot of Plaid's data sources are scraped and/or aggregated and repackaged in nonstandard ways. ACH and transaction tracking have been working fine for the last 20 years prior to a clever ML system.

Nacha ACH spec per BoA for example:

https://files.nc.gov/ncosc/documents/eCommerce/bank_of_ameri...

lol7687y ago

It's not exposed though, right? ACH is just for banks settling between themselves, is it not?

The entire point of OB and PSD2 is that any regulated company can get access to this data.

liveoneggs7y ago

why would a bank be required to expose this for a 3rd party commercial user?

ChrisSD7y ago

As mentioned on another thread, the UK enforces such an API for the largest banks (it's voluntary for the others at the moment) https://www.openbanking.org.uk/

This is part of a wider "challenger bank" initiative. Creating space for smaller, usually digital only, banks to create more competition in the consumer banking market. This was thought to be especially important after the "too big to fail" crash. Directly breaking up the larger banks was never going to happen, so instead they created an environment where competition could (hopefully) flourish.

1 more reply

thepangolino7y ago

It should be required to pass it on to you and for you to seamlessly pass it on to any third party of your choosing.

arcticbull7y ago

In my mind the question is why wouldn't they be? It's your transaction data, you have many legitimate uses for it, why not require open access? It's like GDPR but for your bank records. The data's available now, it's just crap. Sometimes banks need a kick in the pants to straighten up.

jaden7y ago· 5 in thread

It's encouraging to see Plaid making this level of effort to be accurate. It seems like it could be a viable alternative to Mint using something like https://github.com/yyx990803/build-your-own-mint (written by the author of Vue.js).

It's scary to think what would happen if one of these services (Mint, Personal Capital, Plaid) had a backend data breach. If they can log in to your financial sites, a breach would mean the attacker would be able to as well.

temp1290387y ago

Isn't it more scary to think how many people are so cavalier with sharing their online banking credentials with a third-party app like Plaid?

I don't think enough people realize that when you authenticate with Plaid, even for apps that don't provide "Mint-like" functionality and have no need for your transaction history, you're giving that developer permission to pull your transaction history, personal information, account balance, etc without any additional permission at anytime.

semerda7y ago

This happen more often than most people realize.

Especially in the accounting tech space. Take a look at HubDoc (which Xero accounting acquired for ~70m) and their practices of asking accountants to share their clients login credentials + challenge questions to every online service they want "automated" instead of using OAuth. Their FAQ even encourages this "Hubdoc will have all of the information it needs to connect and fetch your documents": https://support.hubdoc.com/hc/en-us/articles/360007260052-Wh...

As for bank feeds, no one has solved this the right way. Not even Plaid. Scrapers are not the answer. Maybe open banking standards like already happening in Commonwealth countries? Or a dropbox like app that lives on the user's machine and that does all the scraping without giving away the login credentials to other actors.

ceejayoz7y ago

"I was surprised the app I gave my banking credentials could read my transactions" seems like a weird complaint, considering there's not that much else legitimate you can do with them. I have concerns about Plaid/Mint/etc. being breached. Less so about the access they have.

1 more reply

ceejayoz7y ago

> If they can log in to your financial sites, a breach would mean the attacker would be able to as well.

As an added bonus, banks may disclaim liability because you shared your credentials with a third party.

jaden7y ago

That's a good (although bad for the consumer) point. Are you aware of any examples of this happening?

1 more reply

dangero7y ago· 2 in thread

Reminder that most banks still don’t provide an oauth api for granting read only access to your account info, so we end up with scraping data and problems like this to solve. Plus there is a ton of completely unnecessary risk created here by forcing users to furnish full access credentials to their bank accounts. It’s beyond stupid.

temp1290387y ago

On the other hand, it's crazy to me that we're all talking about how evil Facebook is for selling the fact that I liked "Family Guy" 15 years ago but for some reason we're all OK cheerleading a company that literally enables real-time financial surveillance on unsuspecting users with a purposefully deceitful onboarding flow that hides any mention of what permissions you're actually providing and no simple way to revoke those permission.

ctoth7y ago

On the other other hand it literally takes 30 seconds to change your bank credentials so...

j / k navigate · click thread line to collapse

26 comments

16 comments · 3 top-level

lol7687y ago· 6 in thread

Why is there no regulation to require banks expose a usable API in NA?

syn0byte7y ago

Nacha ACH spec per BoA for example:

https://files.nc.gov/ncosc/documents/eCommerce/bank_of_ameri...

lol7687y ago

It's not exposed though, right? ACH is just for banks settling between themselves, is it not?

The entire point of OB and PSD2 is that any regulated company can get access to this data.

liveoneggs7y ago

why would a bank be required to expose this for a 3rd party commercial user?

ChrisSD7y ago

As mentioned on another thread, the UK enforces such an API for the largest banks (it's voluntary for the others at the moment) https://www.openbanking.org.uk/

1 more reply

thepangolino7y ago

It should be required to pass it on to you and for you to seamlessly pass it on to any third party of your choosing.

arcticbull7y ago

jaden7y ago· 5 in thread

temp1290387y ago

Isn't it more scary to think how many people are so cavalier with sharing their online banking credentials with a third-party app like Plaid?

semerda7y ago

This happen more often than most people realize.

ceejayoz7y ago

1 more reply

ceejayoz7y ago

> If they can log in to your financial sites, a breach would mean the attacker would be able to as well.

As an added bonus, banks may disclaim liability because you shared your credentials with a third party.

jaden7y ago

That's a good (although bad for the consumer) point. Are you aware of any examples of this happening?

1 more reply

dangero7y ago· 2 in thread

temp1290387y ago

ctoth7y ago

On the other other hand it literally takes 30 seconds to change your bank credentials so...

j / k navigate · click thread line to collapse