Personally, ever since Chase dropped OFX direct-connect access to my data, I kept my Chase credit card account open, but I rarely use it anymore. They still offer manual downloads in CSV, QIF & QFX formats so that's good enough for the amount that I use the card.
It was a little bit of a hassle but I opened a new credit card account at my bank (Regions) that provides free OFX direct-connect access and some pretty generous cash-back incentives.
Screw Chase and any other financial institution that makes my life more difficult.
With financial institutions withdrawing Direct Connect services if folks want Automatic downloads then using aggregators is really the only possible solution. Moneydance cannot become an aggregator it does not have the resources to do so.
Attempts were made to automate downloads via the institutions web site, however after a considerable amount of work it was found that just continuing to develop and maintain this would be a major undertaking, probably of a scale to rival Moneydance itself, hence it proved to not be viable.
The most private solution, short of manual data entry, is to download and import transactions manually.
Maddy on 14 Jul, 2023 09:27 AM
Thank you for contacting Moneydance support.
In order to link to your bank, Plaid will redirect your browser to the bank's site which authenticates you directly. Neither Plaid nor Moneydance ever sees your password or even username for that matter. The bank redirects your browser back to Plaid with a token that is used to access your accounts at that bank for some period of time.
As soon as the access token is acquired by the Moneydance+ server, it is encrypted using the public key from your linked data file. That means that only your data file can ever decrypt that access key, and even our server cannot access it.
We've made every effort possible to not require the Moneydance+ server at all and have all communication go between Moneydance and your bank or Moneydance and Plaid. Unfortunately, that's simply impossible, so we went with the route where the MD+ server is the smallest most basic piece that sees as little information as possible.
So, when Moneydance downloads transactions, it has to go through the MD+ server which authenticates your data file's public key and then basically pipes the connection through itself to Plaid which returns your transactions.
The issue is not with password security. It is much, much worse.
Every time a user uses MoneyDance+/Plaid to download their bank activity (daily?), it gives Plaid access to *ALL* their accounts for that bank. By access I mean transaction history, balances, account numbers, etc. Plaid then passes the transaction history to MD, but also stores the data and sells it to marketing firms.
Plaid was sued over this behavior and paid $58m in settlement. Quote: "As part of the settlement, Plaid is required to delete some of its stored data [and] minimize the data it collects going forward..." Keywords: *SOME* of its stored data and *MINIMIZE* the data it collects. It does not say delete existing data and stop collecting new data...
In short, Plaid is a for-profit company, what is their business model? Sell account holder data. Pure and simple. Are you ready to distribute your credit card transaction history so you can be better targeted by advertisers?
The only viable solution is for InfiniteKind to develop a browser extension that will download QFX files from financial institutions, similar to what AwardWallet does with hotels and airlines to download rewards activities. User credentials are stored locally and the financial data is downloaded straight to the user's computer. I'd be more than willing to pay a reasonable subscription fee for this, and I bet I would not be the only one.
This is not true. It may be true in some countries, but it is not true for Plaid in the UK with Open Banking... For example, when I connect a UK bank, then the bank asks which account(s) to grant access; it's clear what info they provide. Plaid NEVER has access to my login details. Yes, it has readonly access to certain data..
I believe un the US, it may be different as you describe.
Maddy on 27 Jul, 2023 05:27 AM
Generally, in order to connect your accounts, Plaid will ask you to login to your bank. For many banks, Plaid will ask for your username and password and store it on their servers in order to enable continuous access to your transactions. For an increasing number of banks, Plaid will open a browser window directly to your bank's web site where you can login. In those cases, Plaid will store a token provided by the bank and not have access to or store your username and password. In all cases, Moneydance does not have access to your username or password.
I hope this information is helpful. Please let us know if you have further questions or need more assistance.
Every aggregator stores the transactions on their servers, it is the way they provide later retrieval and can efficiently download information, no aggregator does on demand data downloads with no storage. That is what Direct Connect did and is a service that many U.S. institutions are no longer interested in providing
Aggregators like Yodlee state up front that they use the data for analysis, that is part of their business model.
The first suit against Plaid was Cottle v. Plaid Inc., 20-cv-03056-DMR (N.D. Cal. Jul. 20, 2022), where the court awarded $58 million to the plaintiffs; a second was filed by TB bank in New Jersey, May of 2020, for trademark infringement. TB bank later settled with Plaid. In the first suit it emerged the when Plaid appeared to open a browser window "directly to your bank's web site" it was in fact spoofing the bank login websites and capturing and storing the login credentials of the user. It would then logon to the bank site itself and download all the data from that account that was available on that server. The TD suit was filed on the grounds that such spoofing was trademark infringement. In the Cottle case Plaid agreed to cease certain of its practices but one does not know which have stopped.
Sounds like the User's ID and PW are pretty well protected with the MD+/Plaid method and the key is how do we know the data being passed back to us via a Plaid server and the MD+ server is secure and not being logged by Plaid or MD. I am inclined to believe MD is not logging readable data, but not so much in the case of PLAID. Maybe MD can provide a bit more detail on why they think this data is protected in the path from our banks through PLAID - for instance, is the data encrypted from bank to us and who might have the encryption key.