Plaid is almost 10 years old and I think there are probably several verbatim comments on HN since the introduction of Plaid. Unfortunately I don't think we will ever see a such a law; the landscape has changed from 10 years ago and:

1. Plaid has been pretty much been blessed by the largest player in the space (the , now blocked, acquisition from Visa).

2. The banks are glad to outsource development of banking apis to one single customer. Even CapitalOne who seemed horrified at the integration built an Oauth endpoint.

3. The queue of banking regulations is a mile long and is deeply politically controversial among those who vote.

4. Our geriatrics in congress will never see this as an important issue.

It's just easier to not use Plaid.

Oh, yes, I would absolutely never use Plaid, or any service that requires it in the meantime.

But, there are many services that should exist, that could be safely used, if such an API mandate existed.

I actually think it’s a matter of time. Eventually the current state of affairs will lead to a crisis. Someone operating like Plaid (a centralized nexus of banking passwords) will be breached, funds will be drained, and banks will shrug.

At that point, the API law becomes much more likely. Banking regulations have a way of moving very slowly until a crisis erupts.

Another path is, once most of the bigger banks develop their own APIs, they will probably push for the regulation as a path to making it harder for smaller banks to compete.

> if you share your password with Plaid, and Plaid is breached, and someone uses your banking credentials to drain your account, I think a bank could wash their hands of it and walk away in that situation.

is "Plaid is breached" necessary? Or is it enough for bank to be aware that you used Plaid?

I don’t know, I’m not a lawyer, just a concerned bank customer that read my TOS.

My guess would be that your bank account being compromised would need to flow in some way from you sharing your password. But, it might be a matter of “who has the resources to make a claim in court”, which could be a challenge for most people if they just lost their bank account (hell, it would be hard for most people even with access to their savings)

From what I remember from reading my bank contract: they claim that any password sharing and blatantly insecure behavior waive bank responsibility.

It may not be enforceable, but in my case any use of Plaid or Plaid-like tool would allow bank to claim that they are no longer responsible for any fraud.

(for reference - I am from Poland, never encountered any nonscam asking me for my bank account, though banks have different variety of problems)

[I work at Plaid] Not to get into too much of this, but the Consumer Financial Protection Bureau has issued guidance that banks are still required to comply with the consumer protection measures provided by Reg E (and thus cannot fully disclaim liability) even when a fraudulent transfer is the result of password sharing. More info at https://www.consumerfinance.gov/compliance/compliance-resour...

Though this is still obviously not a replacement for open banking and would I still love open banking laws in the US (and hopefully better implemented / constructed than the open banking laws in Europe!)

Can you provide more specifics on this?

I reviewed the register https://www.federalregister.gov/documents/2011/12/27/2011-31... and the link you provided.

I don't see anything that would extend the coverage to a service that is providing a read-only view into the account, or anything that mentions password sharing. I _think_ I could see what you're describing in maybe the description of the transitive nature of Regulation E to cover "non-bank payment providers", but I don't see anything that would protect me if I shared my bank password with Mint via Plaid?

I'd love to know more, and as a lay person I'm having a hard time working my way through all the language of Regulation E.

Sure. The most relevant section would be the "Error Resolution: Unauthorized EFTs" FAQ section in the link in my previous post, especially FAQs 4-8.

(Also, just to clarify how Plaid works, Plaid does not share account credentials with Plaid's customers, so you wouldn't be sharing your password with Mint via Plaid. Instead, Plaid provides token-based access to data via an API.)

Thanks! That was very helpful!

After looking at those answers and reviewing the relevant parts of Regulation E that it cites, I do feel like the regulation pretty-comprehensively disallows banks to impose liability on the consumer for sharing their password. Answer 8 especially that notes that no waiver of Regulation E is allowed makes me feel more comfortable.

I'd still support an open-banking API law, but your citations here have really turned down the urgency for me on that issue.

(And, yep I'm familiar that Plaid does not share the password beyond itself and the relevant bank it's authenticating with)