When you use Plaid to connect your bank account to an app, Plaid collects your account details, balance, transaction history, and in some cases your actual bank login credentials.
This analysis describes what Plaid's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Credential collection is among the most sensitive data practices in consumer finance, and users may not realize that a financial infrastructure company, rather than just the app they are using, is receiving and handling their bank login information.
Interpretive note: The full verbatim policy text was not available in the truncated document; this provision characterization is based on Plaid's publicly documented privacy policy language and the visible page metadata.
End consumers may see their financial data accessed by a broader range of people under developer accounts, but Plaid now requires developers to formally designate and manage these 'Authorized Users' and take responsibility for their conduct. The introduction of session replay and activity monitoring means developer interactions with your financial data may be recorded for audit or security purposes. The policy does not specify what data is covered by monitoring or how long recordings are retained, which creates operational uncertainty for developers handling sensitive consumer financial information.
View change record →Plaid's updated terms establish a new direct relationship with you through the Plaid Account and introduce a monitoring service that operates through a web app. The terms now authorize Plaid to share financial information needed for third-party apps to initiate payments to or from you, which is a broader statement of data-sharing scope than the previous language. This means Plaid's role shifts from primarily facilitating connections to third-party apps toward directly providing account services, including monitoring. The effective date is April 14, 2026, though the change was detected on April 19, 2026. Review your Plaid Account settings to understand what data Plaid holds and how the monitoring service works.
View change record →The updated terms clarify that Plaid may request and collect phone numbers, email addresses, and other contact information when you connect financial accounts or verify your identity through a Plaid-connected application. The terms no longer describe a separate Plaid Monitoring Service or Plaid Web-App. The Plaid Account is now framed primarily as a tool to accelerate onboarding and use of third-party applications rather than as a standalone service for monitoring and alerts. The updated language authorizes Plaid to store identity verification data within your Plaid Account if you choose to do so.
View change record →If Plaid collects your bank credentials during the connection process, those credentials are transmitted to and temporarily or persistently handled by Plaid's systems, creating exposure risk beyond the app you intentionally logged into.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Plaid has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"When you connect your financial accounts to an application that uses Plaid, we collect information from those accounts including account and routing numbers, account balances, transaction history, and in some cases account credentials such as usernames and passwords in order to establish and maintain the connection.— Excerpt from Plaid's Plaid End User Privacy Policy
REGULATORY LANDSCAPE: Credential collection in financial data access engages the Gramm-Leach-Bliley Act's Safeguards Rule (enforced by the FTC), which requires covered financial institutions to implement security programs adequate to the sensitivity of data collected. The CFPB's Section 1033 open banking framework, once finalized, is expected to establish standards for third-party data access that may require screen scraping and credential-based access to be phased out in favor of tokenized API access. The 2022 FTC consent order against Plaid specifically addressed representations made to users during credential collection. GOVERNANCE EXPOSURE: High. Credential collection represents the highest-sensitivity data handling in this policy. Even where credentials are stated to be encrypted or not stored long-term, the transmission and temporary handling of authentication credentials creates significant security and regulatory exposure. The FTC consent order history makes this provision subject to heightened scrutiny in any regulatory review. JURISDICTION FLAGS: All US jurisdictions are affected given federal GLBA applicability. California residents have additional protections under CPRA's treatment of sensitive personal information, which includes financial account credentials. EU and UK users are protected under GDPR's requirements for explicit consent and data minimization principles, which regulators may apply to assess whether credential collection is proportionate to the stated purpose. CONTRACT AND VENDOR IMPLICATIONS: Developer partners building on Plaid's API should review their own privacy policies and user agreements to ensure disclosures about Plaid's credential collection practices are adequate. Failure to disclose Plaid's role as a data collector in the app's own privacy policy may expose the developer to FTC Section 5 or state UDAP claims. Data processing agreements between Plaid and developer partners should address credential handling liability allocation. COMPLIANCE CONSIDERATIONS: Compliance teams should document the credential collection flow in full, including encryption standards, storage duration, and deletion protocols. They should assess whether current disclosures in Plaid Link's consent interface satisfy CPRA's requirement for explicit consent to collection of sensitive personal information defined to include financial account credentials. The 2022 FTC consent order terms should be reviewed against current Link interface disclosures.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Credential collection is among the most sensitive data practices in consumer finance, and users may not realize that a financial infrastructure company, rather than just the app they are using, is receiving and handling their bank login information.
If Plaid collects your bank credentials during the connection process, those credentials are transmitted to and temporarily or persistently handled by Plaid's systems, creating exposure risk beyond the app you intentionally logged into.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Plaid.