What is Plaid and how does it connect to bank accounts?

Plaid is a financial technology intermediary that acts as a secure digital bridge between your bank account and third-party apps like Venmo and Robinhood. It uses secure APIs and a tokenized architecture to verify balances, check identity, and facilitate transfers without sharing your login credentials.

Does Plaid store or sell my banking login information?

No, in a modern Plaid integration, third-party apps never see or store your banking password. Furthermore, Plaid has stated that it does not act as a data broker and does not sell consumer transaction history to third-party marketers.

What is the difference between screen scraping and OAuth in Plaid?

Screen scraping is a legacy method where an aggregator stores encrypted credentials to log into a bank website and scrape HTML data, which is highly fragile. Modern OAuth redirects users to their own bank's portal to log in, issuing a secure, revocable token to Plaid without sharing credentials.

Why did Plaid pay a $58 million class-action settlement in 2022?

The settlement resolved lawsuits alleging that Plaid's older interface closely mimicked bank login screens and that the company collected more transaction data than necessary. While denying wrongdoing, Plaid paid the settlement and implemented a transparent user interface redesign.

Updated 2026-06-14

Key takeaways

Plaid acts as a digital bridge between banks and financial apps, enabling secure data connections without exposing your actual bank passwords.
Apps use Plaid's APIs to instantly verify account ownership, confirm available balances, and retrieve transaction data for budgeting or underwriting.
The industry is shifting from fragile screen scraping to secure OAuth APIs, which use tokenized access rather than storing consumer login credentials.
Following a 2022 privacy settlement, Plaid launched a consumer portal where users can view and immediately revoke application access to their data.
New US regulations like CFPB Section 1033 mandate that banks provide secure API access, restrict secondary data sales, and require yearly consumer consent.

Plaid is an intermediary that securely connects your bank account to third-party apps without exposing your actual passwords. Banks and developers use Plaid's APIs to instantly verify account ownership, check balances, and retrieve transaction data. To protect privacy, the industry now uses a secure token system, allowing users to easily track and revoke data access via consumer portals. Ultimately, emerging US open banking regulations are cementing these secure technologies to ensure consumers maintain complete control over their personal financial data.

What Is Plaid and Why Does Your Bank Use It

Plaid is a financial technology intermediary that securely connects your bank account to third-party applications like Venmo, Robinhood, and modern budgeting tools. By acting as a digital bridge, it allows these applications to verify your identity, check your balance, and facilitate payments without ever requiring them to store your actual banking password.

The Digital Plumbing of Modern Finance

To understand the necessity of Plaid, one must first look at the historical architecture of the consumer financial system. Before the rise of specialized data aggregators, the banking sector was built almost entirely for a physical, branch-based world. If a consumer wanted to initiate a wire transfer, apply for a personal loan, or verify their identity for a new financial service, the process often required a visit to a local bank branch, the physical mailing of voided checks, or the faxing of printed bank statements ¹. As digital finance expanded rapidly in the early 2010s, a critical missing link became apparent to software developers. Connecting a modern, fast-moving application - such as a peer-to-peer payment platform or an automated savings tool - to the legacy, localized infrastructure of thousands of isolated banks was incredibly difficult, if not impossible ¹.

Plaid was originally founded to build a consumer-facing budgeting application, but the founders quickly realized that the underlying data connection infrastructure they needed simply did not exist ¹. They pivoted to solve this fundamental "chicken-and-egg" problem by building the necessary infrastructure themselves ¹². Today, Plaid operates as the digital plumbing - or the proverbial "shovels and pans" of the fintech gold rush - facilitating communication across a highly fragmented ecosystem ¹⁴.

Instead of an application developer dedicating years to writing thousands of custom integrations to communicate individually with every major commercial bank, regional credit union, and digital wallet platform, the developer only needs to write a single integration to Plaid ⁵². Plaid then handles the complex routing, authentication, and data normalization across its massive network ⁴⁵. As of the mid-2020s, this network spanned over 12,000 distinct financial institutions across the United States, Canada, the United Kingdom, and Europe ⁴³.

Research chart 1

The scale of this infrastructure is immense. By 2025, industry estimates indicated that at least half of all adults in the United States had interacted with Plaid's technology in some capacity, connecting over 500 million consumer accounts worldwide ⁴⁴⁵. The company's revenue reportedly rose more than 25% in 2024 alone as consumer demand for seamless digital financial experiences continued to outpace the capabilities of legacy banking interfaces ⁵.

Why Your Bank and Fintech Apps Use Plaid

When an individual downloads a new digital financial service and attempts to create an account, the application immediately faces a high-stakes challenge. It must verify that the user's bank account actually exists, confirm that the individual legally owns it, and ensure there are sufficient funds available to perform a transaction. Historically, achieving this involved the slow, friction-heavy process of micro-deposits, where an application would deposit two amounts of a few cents into the user's account and ask the user to verify the exact amounts days later ¹. If the onboarding process takes days, modern consumers simply abandon the application.

Applications utilize Plaid because it offers a suite of Application Programming Interfaces (APIs) designed to instantly execute these verification tasks ⁵²⁶. An API is essentially a set of standardized rules and protocols that allows two different software programs to communicate and share data securely without exposing their underlying proprietary code to one another ²⁶.

Core API Products and Functionality

Through this API layer, Plaid offers distinct products that power highly specific features within the financial applications we use daily. Rather than offering a single generic data feed, Plaid segments its network into specialized tools ⁵¹¹¹²⁷.

The Auth and Balance products serve as the foundational layer for payments. When a user links an account, Auth instantly verifies the account and routing numbers to enable immediate Automated Clearing House (ACH) transfers, while Balance checks real-time funds availability to prevent costly overdrafts and failed payments ¹²¹⁴¹⁵. For more complex financial management, the Transactions product retrieves up to 24 months of historically categorized transaction data across checking, credit, and student loan accounts. This data engine is what powers automated budgeting dashboards, allows apps to detect recurring subscription payments, and enables lenders to underwrite loans based on actual cash flow rather than relying solely on traditional credit scores ⁴¹¹¹².

Plaid also heavily focuses on risk mitigation through its Identity and Signal products. Identity verifies the account holder's name, physical address, and email address against the bank's official records, helping applications comply with stringent Know Your Customer (KYC) regulations and prevent synthetic identity fraud ¹²¹⁶. Meanwhile, products like Signal and Monitor utilize machine learning across Plaid's massive network to assess the real-time risk of a transaction bouncing or to detect patterns of fraud before a transfer is finalized ⁷¹⁴⁸.

Where Plaid Operates in the Ecosystem

The invisible, embedded nature of Plaid means consumers frequently use the service without realizing it. The technology powers the onboarding, funding, and data aggregation mechanisms for a vast array of the digital economy.

Category	Typical Use Case	Example Applications Powered by Plaid
Payments & Wallets	Linking a primary checking account to instantly fund a digital wallet, split bills, or send peer-to-peer transfers.	Venmo, Cash App, PayPal, Wise, WorldRemit, Metal ¹⁵¹⁸⁹
Investing & Crypto	Verifying external funding sources to allow instant deposits for stock market trading or cryptocurrency purchases.	Robinhood, Coinbase, Kraken, Acorns, Wealthfront, M1 Finance ¹⁵¹⁸⁹²⁰
Neobanks & Digital Banking	Funding a newly created digital-only bank account from an existing legacy, brick-and-mortar bank account.	Chime, Varo, Current, MoneyLion ¹⁵¹⁸⁹²⁰
Lending & Cash Advances	Analyzing cash flow, verifying payroll income, and assessing transaction history to underwrite loans instantly.	SoFi, Earnin, Dave, Petal, Figure, Avant ⁷¹⁸⁹²¹
Personal Finance	Aggregating checking, savings, and credit card data to provide a unified dashboard of an individual's net worth.	YNAB (You Need A Budget), Rocket Money, Copilot, Cleo ¹⁸⁹²²²³²⁴¹⁰

For legacy financial institutions, cooperating with data aggregators like Plaid has shifted from a reluctant necessity to a strategic priority ⁵. Banks recognize that their customers demand the ability to use third-party fintech tools. By establishing secure, formal data-sharing agreements and dedicated APIs with Plaid, banks ensure their customers can access these modern tools without compromising the bank's own internal security infrastructure or overloading their servers with unauthorized access attempts ⁵¹¹¹².

The Mechanics of a Plaid Connection

To understand why Plaid is widely considered a secure intermediary, it is necessary to examine the technical flow of how data is authorized and retrieved. A common and persistent misconception is that third-party applications - such as Venmo or Robinhood - hold and store the user's banking username and password directly. In a properly configured modern Plaid integration, this is fundamentally false ¹⁵²⁸²⁹.

The connection layer is handled by a user-facing interface called Plaid Link. When a consumer opens an application and selects the option to add a funding source, the application initializes this Plaid-hosted module. For most fintech applications, this Link module is the very first touchpoint a user has with a bank connection, making its speed and reliability critical to the app's overall conversion rate ¹¹.

The Token Exchange Lifecycle

The data lifecycle follows a strict tokenization process designed to isolate credentials from the third-party developer. The flow begins when the application's backend server requests a temporary, single-use code called a link_token from Plaid ¹⁶¹³. The application passes this token to the user's mobile device or web browser to securely open the Plaid Link interface ¹³.

From this point forward, the consumer interacts entirely within the secure confines of Plaid Link. They search for their specific bank and are securely routed to an authentication screen. Depending on the technological maturity of the consumer's bank, this may involve logging in directly on the bank's secure portal (via a protocol called OAuth) or entering credentials securely into Plaid's encrypted system ¹²¹³. Plaid handles all necessary security hurdles, including sending and verifying Multi-Factor Authentication (MFA) codes via SMS or email ¹²¹⁶.

Once the consumer is successfully authenticated, Plaid Link generates a short-lived public_token and hands it back to the third-party application ¹⁶¹³. The application cannot use this public token to read any data. Instead, the application's backend server securely transmits this public_token back to Plaid's servers, exchanging it for a permanent access_token and an item_id, which represents the specific bank connection ¹⁶¹³.

The application securely stores this access_token in its database. Whenever the application needs to update a balance, fetch new transactions for a budgeting dashboard, or verify funds before a transfer, it sends a request containing the access_token to Plaid's API ²¹¹¹³. Plaid verifies the token, retrieves the specific requested data from the financial institution, and securely returns it to the application ²¹¹.

This tokenized architecture means the application developers never see, touch, or store the consumer's banking credentials. The application only holds an arbitrary string of characters that grants read-only permission for specific, explicitly authorized data types ²¹⁵²⁸.

Research chart 2

The Evolution of Access: Screen Scraping to APIs

While the token exchange between Plaid and the third-party app is highly secure, the underlying method Plaid uses to connect to the actual bank has undergone a massive, industry-wide transformation. The ecosystem has spent the last several years shifting from a controversial, fragile legacy method known as "screen scraping" to a secure, industry-standard protocol known as OAuth ²¹²¹⁴.

The Fragile Era of Screen Scraping

In its early days, before legacy banks offered dedicated data APIs to third parties, Plaid and other financial aggregators relied heavily on screen scraping ²³²³³. Under this method, the consumer provides their banking username and password directly to the aggregator during the onboarding flow. The aggregator's software then securely stores these credentials and uses them to programmatically log into the bank's consumer-facing website ³²³³³⁴. Once logged in, the automated software simulates human behavior, "scraping" the HTML code of the webpage to read balances and extract transaction histories as if it were a human user looking at the screen ³²³⁴.

While screen scraping was an innovative bridge technology necessary to prove consumer demand for connected finance, it was fraught with systemic issues ²³³. Primarily, it required the aggregator to store the user's credentials - albeit in a highly encrypted state ³³³⁵. Furthermore, the connections were notoriously fragile. If a bank simply redesigned its website, altered its login button placement, or updated its password expiration policies, the screen scraping script would immediately break. This severed the connection, resulting in synchronization errors and forcing the user to manually re-authenticate their credentials ³³³⁴³⁵.

The Transition to OAuth and Direct APIs

As the fintech industry matured and transaction volumes skyrocketed, financial institutions and data aggregators collaborated to replace screen scraping with dedicated Application Programming Interfaces utilizing the OAuth (Open Authorization) 2.0 protocol ²³⁴¹⁵.

OAuth is a globally recognized, industry-standard authorization framework that allows users to grant third-party applications access to their information without ever sharing their underlying passwords ¹²¹⁵¹⁶. When a consumer uses a Plaid-powered application that supports an OAuth connection, they are seamlessly redirected away from Plaid to their actual bank's website or mobile app to log in ³²³⁴¹⁶. The bank verifies the user's identity, explicitly asks what specific data accounts they consent to share, and then issues a secure, revocable authorization token directly to Plaid ³²³⁴¹⁶.

Comparing Technical Connection Methods

Feature	Legacy Screen Scraping	Modern OAuth APIs
Credential Handling	The aggregator must collect and store the consumer's encrypted banking username and password ³³³⁴³⁵.	Credentials remain strictly with the bank; the aggregator only receives an authorization token ³²³⁴³⁵.
Security Risk Profile	Higher risk due to the centralized storage of login credentials by unauthorized third parties ³³³⁴³⁵.	Substantially lower risk; utilizes token-based authorization that can be instantly revoked ³²³⁵.
Connection Reliability	Highly fragile. Breaks if the bank updates its website UI, HTML structure, or changes password policies ³³³⁵.	Highly reliable. Built on stable, contractually maintained software endpoints designed for machine communication ³³³⁵.
Data Granularity	All-or-nothing access. The scraping bot sees everything the user would see on their screen ³⁴³⁵.	Granular access. The consumer can explicitly permission specific data sets (e.g., sharing a checking account, but hiding a mortgage) ³²³⁵.
Retrieval Performance	Slow. It can take 5 to 30 seconds as the software navigates through multiple web pages ³⁵.	Fast. Direct data retrieval often occurs in roughly 500 milliseconds ³⁵.

By 2025, Plaid had successfully migrated the vast majority of its network traffic away from screen scraping and toward these API-driven integrations ²¹². To accelerate this transition across the long tail of smaller regional banks and credit unions, Plaid partnered with major identity management providers like Okta ¹²¹⁵¹⁷. This partnership allowed financial institutions to adopt OAuth standards rapidly and securely, ensuring compliance with emerging industry standards mandated by consortiums like the Financial Data Exchange (FDX) ¹⁵¹⁷.

Security, Privacy, and the $58 Million Settlement

The sheer volume of sensitive financial data flowing through Plaid's network places the company under intense scrutiny regarding its security protocols and privacy practices.

From a purely technical standpoint, Plaid utilizes robust, bank-level security measures to protect data in transit and at rest. All data transmitted between the financial institution, Plaid's servers, and the end third-party application is encrypted using the Advanced Encryption Standard (AES-256) and Transport Layer Security (TLS) protocols ¹⁴¹⁵²⁸. Plaid's core infrastructure complies with strict industry certifications, including SOC 2 Type II and ISO 27001 ¹⁴.

Furthermore, a pervasive myth surrounding aggregators like Plaid is that the company operates as a data broker, selling consumer transaction histories to third-party marketers for targeted advertising ²⁹¹⁸. The company has explicitly and repeatedly stated, including in sworn statements by its executive team, that it does not and has never sold consumer data ¹⁵²³. Plaid's core revenue model relies entirely on charging the application developers - such as Venmo or Robinhood - a transactional or subscription fee for utilizing the API infrastructure, rather than monetizing the underlying data itself ⁴.

The 2022 Class Action Privacy Lawsuit

Despite these technical safeguards, Plaid has faced significant legal challenges regarding its transparency, data minimization practices, and user interface design. In July 2022, a federal judge approved a $58 million class-action settlement stemming from consolidated litigation regarding Plaid's past privacy practices ¹⁸⁴⁰⁴¹⁴².

The consumers in the lawsuit alleged two primary grievances. First, they claimed that Plaid's older user interface was designed to mimic the login screens of individual banks so closely that users did not realize they were providing their credentials to a third-party aggregator rather than their own bank ¹⁸⁴²¹⁹. Plaintiffs argued this practice violated California's anti-phishing laws, which prohibit misrepresenting oneself to induce the handover of sensitive information ¹⁸⁴². Second, plaintiffs alleged that Plaid historically collected more transactional data than was strictly necessary for the specific application being used, exploiting its position as a middleman to aggregate vast amounts of transaction history without explicit consent ⁴⁰⁴²¹⁹.

Outcomes and Interface Redesigns

While Plaid officially denied all allegations of wrongdoing and maintained that its practices were transparent, the court-approved settlement mandated sweeping changes to the company's business practices alongside the monetary payout ¹⁸⁴⁰¹⁹.

The $58 million fund distributed payments to affected users, covered $11 million in attorney fees, and directed unclaimed funds to privacy-focused organizations like Consumer Reports and the Privacy Rights Clearinghouse through cy pres awards ¹⁸¹⁹. More importantly, the injunctive relief required Plaid to permanently alter the Plaid Link interface to ensure total transparency. The redesign ensured users clearly understand Plaid's role as a middleman before they input any data ¹⁸⁴⁰⁴¹. Furthermore, the company was legally bound to minimize the data it collects moving forward and to delete vast troves of historical transactional data for users who had not actively connected accounts for specific transaction-based services ¹⁸¹⁹.

How to Manage and Revoke Your Plaid Data

A direct result of industry maturation and the 2022 privacy settlement is significantly enhanced consumer control over financial data. Historically, once a consumer linked a bank account to a budgeting application or payment tool, that connection persisted indefinitely - even if the consumer deleted the application from their smartphone ⁴⁴. Plaid would continue to pull data in the background to ensure the application remained synced if the user ever returned.

Today, consumers have multiple, accessible avenues to audit, manage, and completely revoke third-party access to their financial data, ensuring they are no longer leaving a trail of active data connections across the internet.

Method 1: The Plaid Consumer Portal

In direct response to demands for greater transparency and as part of the settlement remediation, Plaid launched an official, consumer-facing dashboard located at my.plaid.com ²³¹⁹⁴⁴²⁰.

Consumers can navigate to this portal and create an account using the phone number and email address they typically associate with their financial applications ⁴⁴²⁰⁴⁶. Upon identity verification, the portal automatically queries Plaid's backend and presents a comprehensive list of every application that has ever accessed the user's financial institutions via Plaid's network ⁴⁴⁴⁶. Users can view exactly what types of data are currently being shared and can click "Disconnect" or "Remove" to sever the API link immediately ⁴⁴⁴⁶²¹. This action instantly revokes Plaid's access, preventing any future data sharing or ACH transfer authorizations without needing to contact the third-party app directly ⁴⁴⁴⁶²¹.

Furthermore, the portal allows users to execute their "Right to Delete," forcing the deletion of their historical financial data from Plaid's internal systems entirely, ensuring no residual data is stored beyond what is strictly required by anti-money laundering laws ²³²⁰²²⁴⁹.

Method 2: Bank-Hosted Security Dashboards

As major financial institutions adopt modern OAuth APIs, they are increasingly offering centralized control panels within their own mobile banking apps and secure websites. This allows consumers to audit and sever third-party ties directly from the bank's side, providing a critical "belt-and-suspenders" approach to data security ¹¹⁴⁴.

Financial Institution	How to Revoke Third-Party App Access
Chase Bank	Navigate to "Security & Privacy" and select "Linked apps and websites." This displays all active API connections, allowing users to uncheck specific accounts or revoke access entirely ²³⁵¹.
Bank of America	Within the "Profile & Settings" menu, locate the "Security Center" and select "Manage Third-Party Access" to view and revoke active data-sharing consents ⁴⁴²⁴.
Wells Fargo	Access "Manage Connected Apps" under the security profile to monitor and revoke Plaid's authorization ⁵¹.
Citi	Navigate through Account Management settings to the linked accounts screen to revoke access on an app-by-app basis ⁴⁴.
J.P. Morgan	Under "Settings," go to "Security & privacy," then scroll to "Linked apps" to view and manage shared data permissions ²⁵.

It is important to understand the technical limitations of these revocation methods. For some institutions, such as Wells Fargo, revoking Plaid's access at the bank level acts as a master switch, severing the connection for all Plaid-powered applications simultaneously, rather than disconnecting a single specific app ⁵¹.

Additionally, whether a consumer disconnects an app via the Plaid Portal or their bank's dashboard, the action only stops future data sharing. Any historical data that the third-party application (e.g., a budgeting tool) previously collected and stored on its own proprietary servers will remain there. To achieve complete data deletion, the consumer must contact that specific application directly and submit a privacy request ²¹²⁴.

The Global Shift to Open Banking Regulation

The rules governing how intermediaries like Plaid operate, what specific data they can legally access, and how consumer consent is managed vary dramatically depending on geographic jurisdiction. The global shift toward "Open Banking" - the standardized practice of providing open access to financial data through secure APIs - is playing out very differently in the European and American markets ⁶⁵⁵⁵⁶⁵⁷.

The UK and European Standard: Regulation-Driven

In Europe and the United Kingdom, the Open Banking ecosystem was catalyzed by sweeping, top-down government mandates. The implementation of the revised Payment Services Directive (PSD2) across the European Union and the CMA9 mandate in the UK legally stripped incumbent banks of their historical monopoly over consumer financial data ⁶⁵⁵⁵⁶⁵⁷.

These regulations dictated that if a consumer explicitly consents, banks must share their financial data with authorized third parties. Crucially, the UK Open Banking Standard mandated a single, prescriptive technical specification that all major banks were legally required to implement consistently ⁵⁵⁵⁷⁵⁸. In this highly structured environment, data aggregators like Plaid cannot operate freely; they must undergo rigorous audits and be formally licensed by regulatory bodies - such as the Financial Conduct Authority (FCA) in the UK - as an Account Information Service Provider (AISP) or a Payment Initiation Service Provider (PISP) ⁶¹⁴²⁶.

Because the API endpoints are heavily regulated, well-documented, and standardized across the continent, the archaic practice of screen scraping was quickly rendered obsolete ⁵⁵⁵⁷⁵⁸. The ecosystem benefits from highly uniform consent frameworks, reliable connectivity, and clear legal liability rules, making the European market a global pioneer in secure financial data sharing ⁵⁵⁵⁸⁶⁰.

The United States: A Historic Market-Driven Approach

Conversely, the United States has historically operated a highly fragmented, industry-led model completely devoid of a single government mandate dictating technical standards for data sharing ⁵⁵⁵⁵⁶⁶¹. Without legally mandated APIs forcing banks to open their vaults, data aggregators had to innovate rapidly to meet skyrocketing consumer demand. This lack of standardization is precisely what resulted in the heavy, prolonged reliance on screen scraping and the subsequent need for aggregators to negotiate complex, bilateral data-sharing agreements individually with thousands of different banks ⁵¹²⁵⁶.

The Catalyst: CFPB Section 1033

However, this "Wild West" paradigm in the United States is currently undergoing a massive, structural shift. In October 2024, the Consumer Financial Protection Bureau (CFPB) officially finalized its highly anticipated "Personal Financial Data Rights" rule, executing its authority under Section 1033 of the Dodd-Frank Act ⁵⁶¹²⁷⁶³²⁸.

The CFPB's Section 1033 rule serves as the official regulatory foundation for Open Banking in the United States, transitioning the ecosystem toward a regulatorily supervised framework ⁶¹²⁷⁶⁵²⁹. While the rule is currently facing expected legal challenges from banking trade groups - which resulted in a temporary federal injunction pausing enforcement as of early 2026 - the finalized text establishes several fundamental, transformative consumer rights regarding financial data ⁶⁷⁶⁸:

Mandated API Access: Covered financial institutions (data providers) are legally required to make consumer data - specifically including transaction history, account balances, and payment initiation details - readily available to authorized third parties in a standardized, machine-readable electronic format ³³²⁷⁶³³⁰. This effectively mandates the universal transition to secure APIs and officially initiates the regulatory phase-out of screen scraping as a viable compliance method ³³²⁷⁶³.
Zero-Fee Data Sharing: To foster competition and prevent incumbents from stifling innovation, banks are strictly prohibited from charging consumers or third-party applications arbitrary fees for accessing this baseline financial data ²⁷⁶⁷³⁰.
Strict Data Minimization: The rule outright bans "bait-and-switch" data harvesting. Authorized third-party applications can only collect, use, and retain the exact data reasonably necessary to provide the specific product or service the consumer requested ²⁷⁶³⁷⁰. They are explicitly prohibited from secretly harvesting transaction data for unrelated secondary purposes, such as targeted advertising, cross-selling, or selling the data to third-party brokers ²⁷⁶³⁷⁰.
Re-Authorization and Deletion: Consumer consent is no longer considered perpetual. API connections are valid for a maximum of 12 months, after which the consumer must be prompted to explicitly reauthorize access ²⁷²⁸⁶⁷³¹. Furthermore, if a consumer revokes access, data retrieval must cease immediately, and the deletion of collected data becomes the default regulatory practice ²⁷²⁸⁶⁷³¹.

The compliance timeline for Section 1033 was designed to be phased based on the asset size of the financial institution. The largest commercial banks were originally scheduled to achieve full compliance by April 2026, while the smallest covered institutions were given an extended runway until April 2030 to upgrade their legacy systems ²⁷⁶⁸⁷².

Comparing Open Banking Regulatory Frameworks

Regulatory Feature	UK & European Union (PSD2 / Open Banking Standard)	United States (Pre-2024 Market-Driven Era)	United States (Post-CFPB Section 1033)
Primary Driver	Top-down government mandate driven by the CMA, FCA, and EU Commission ⁶⁵⁵.	None. Purely industry-led innovation and market demand ⁵⁶⁶¹.	Regulated by the CFPB utilizing authority under the Dodd-Frank Act ²⁷⁶³.
Technical Standardization	Standardized, uniform API specifications are mandated by law ⁵⁵⁵⁷⁵⁸.	Highly fragmented ecosystem relying on a mix of proprietary direct APIs and legacy screen scraping ⁵⁵⁶.	Legally mandates machine-readable developer interfaces (APIs) and phases out screen scraping ³³⁶³.
Data Usage Limitations	Bound by strict GDPR and PSD2 privacy regulations ⁵⁵⁶¹.	Governed loosely by complex, dense Terms of Service agreements ⁶¹.	Explicitly bans secondary data use and sale; strictly limits data to the intended consumer use case ²⁷⁷⁰.
Consent Lifespan	Requires frequent consumer re-authentication (historically every 90 days) ⁶⁵⁸.	Perpetual access until manually discovered and revoked by the user ⁴⁴.	Maximum 1-year access limit before explicit consumer re-authorization is legally required ²⁸⁶⁷.

Scale and Future Outlook for Open Finance

The combination of regulatory clarity and improving API infrastructure has led to massive global adoption of open banking technologies.

In the United Kingdom, open banking has evolved from a niche fintech concept into everyday financial infrastructure. By late 2025, the UK ecosystem recorded over 16.5 million active open banking user connections, representing a significant portion of the adult population ⁷³³²⁷⁵. More notably, open banking is increasingly being used to actively move money, rather than just read data. The UK saw over 351 million successful open banking payments in 2025 - a 57% year-over-year increase - with consumers frequently using the technology to pay taxes directly to HMRC, settle credit card bills, and automate "me-to-me" transfers through sweeping Variable Recurring Payments (VRPs) ⁷³³²³³.

In the United States, despite the historical lack of regulation, consumer demand has driven comparable scale. Over 80 million US users actively interact with open finance tools, with Plaid's technology touching roughly half of all American adults by 2025 ⁵⁵⁵⁷³.

As the digital plumbing stabilizes, networks like Plaid are shifting their focus toward "intelligent finance." With reliable API connections secured, the next frontier involves using artificial intelligence and machine learning to analyze the vast streams of categorized transaction data. This enables advanced cash-flow underwriting models that expand credit access, highly accurate real-time fraud detection networks, and deeply personalized financial management tools that proactively guide consumer behavior ⁴⁷⁷⁷³⁴.

Bottom line

Plaid functions as the essential digital infrastructure connecting modern applications like Venmo and Robinhood to the vast, fragmented network of legacy banking systems. By utilizing specialized APIs, it allows consumers to securely share their financial data with budgeting tools, lenders, and payment platforms without ever exposing their raw banking passwords to those third parties. While the company has faced historical scrutiny over early practices like screen scraping and interface transparency, the industry is rapidly maturing. The widespread adoption of tokenized OAuth connections, the introduction of centralized consumer control portals, and the enforcement of the CFPB's new Section 1033 data rights rule are fundamentally securing the open banking ecosystem, ensuring that consumers retain ultimate control over who sees their financial data and for exactly how long.

About this research

This article was produced using AI-assisted research using mmresearch.app and reviewed by human. (CuriousOtter_65)