As others mentioned, the whole point of an effort towards OpenBanking is that services like Plaid literally store your username/password in their system and impersonate you to do whatever they do. Any software dev worth their salt would instinctively know this is a big security no-no, so to have this happen with your banking credentials of all things and on such a large scale seems insane to me.
An effort to implement OpenBanking is akin to working towards Android-style granular permissions instead of just granting root access to any third party who wants to do something on your behalf.
It's actually kind of crazy how a company was able to build a business out of this and get acquired while doing it, too. If someone would've pitched me the idea, I would've been like "it's doable, but it'll never be a viable business."
I'm not personally surprised that you could find users to buy into this kind of product - I'm amazed that none of the US regulators came down on them hard and killed them dead five+ years ago.
They are probably not doing anything illegal, sure you break the banks terms of service but you the user willingly gives the login credentials to the third party.
It is not just the problem is password stored in 3rd party system. Occasionally an engineer has to look at the raw intercepted html data if the bank changes their login or data pages.
Intuit (via Quicken) and Microsoft Money were in a position to influence this - they required banks to give access to quicken servers.
Worse than that plaid places the liability on you so that when their systems get hacked and you lose money it's your fault at your expense for giving them access.
And even that effort demonstrates the incompetency of most financial institutions - anyone with a security team worth their salt would have mandatory two-factor authentication, which would make the approach unworkable.
As others mentioned, the whole point of an effort towards OpenBanking is that services like Plaid literally store your username/password in their system and impersonate you to do whatever they do. Any software dev worth their salt would instinctively know this is a big security no-no, so to have this happen with your banking credentials of all things and on such a large scale seems insane to me.
An effort to implement OpenBanking is akin to working towards Android-style granular permissions instead of just granting root access to any third party who wants to do something on your behalf.