When you use Plaid to connect your bank account to an app, Plaid collects your account details, balance, transaction history, and in some cases your actual bank login credentials.
This analysis describes what Plaid's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Credential collection is among the most sensitive data practices in consumer finance, and users may not realize that a financial infrastructure company, rather than just the app they are using, is receiving and handling their bank login information.
Interpretive note: The full verbatim policy text was not available in the truncated document; this provision characterization is based on Plaid's publicly documented privacy policy language and the visible page metadata.
End consumers may see their financial data accessed by a broader range of people under developer accounts, but Plaid now requires developers to formally designate and manage these 'Authorized Users' …
Plaid's updated terms establish a new direct relationship with you through the Plaid Account and introduce a monitoring service that operates through a web app. The terms now authorize Plaid to share…
If Plaid collects your bank credentials during the connection process, those credentials are transmitted to and temporarily or persistently handled by Plaid's systems, creating exposure risk beyond the app you intentionally logged into.
How other platforms handle this
When you visit the Careers portion of our websites, we collect the information that you provide to us in connection with your job application. This includes but is not limited to business and personal contact information, professional credentials and skills, educational and work history and other in...
American does not knowingly collect personal information directly from children – persons under the age of 13, or another age if required by applicable law – other than when required to comply with the law or for safety and security reasons. Due to the nature of our Services, we may collect travel i...
We may collect information about your location, including precise geolocation information, when you use our Services. We use this information to provide location-based services, such as showing you products available in your area, and for other purposes described in this Privacy Policy.
Monitoring
Plaid has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"When you connect your financial accounts to an application that uses Plaid, we collect information from those accounts including account and routing numbers, account balances, transaction history, and in some cases account credentials such as usernames and passwords in order to establish and maintain the connection.— Excerpt from Plaid's Plaid End User Privacy Policy
REGULATORY LANDSCAPE: Credential collection in financial data access engages the Gramm-Leach-Bliley Act's Safeguards Rule (enforced by the FTC), which requires covered financial institutions to implement security programs adequate to the sensitivity of data collected. The CFPB's Section 1033 open banking framework, once finalized, is expected to establish standards for third-party data access that may require screen scraping and credential-based access to be phased out in favor of tokenized API access. The 2022 FTC consent order against Plaid specifically addressed representations made to users during credential collection. GOVERNANCE EXPOSURE: High. Credential collection represents the highest-sensitivity data handling in this policy. Even where credentials are stated to be encrypted or not stored long-term, the transmission and temporary handling of authentication credentials creates significant security and regulatory exposure. The FTC consent order history makes this provision subject to heightened scrutiny in any regulatory review. JURISDICTION FLAGS: All US jurisdictions are affected given federal GLBA applicability. California residents have additional protections under CPRA's treatment of sensitive personal information, which includes financial account credentials. EU and UK users are protected under GDPR's requirements for explicit consent and data minimization principles, which regulators may apply to assess whether credential collection is proportionate to the stated purpose. CONTRACT AND VENDOR IMPLICATIONS: Developer partners building on Plaid's API should review their own privacy policies and user agreements to ensure disclosures about Plaid's credential collection practices are adequate. Failure to disclose Plaid's role as a data collector in the app's own privacy policy may expose the developer to FTC Section 5 or state UDAP claims. Data processing agreements between Plaid and developer partners should address credential handling liability allocation. COMPLIANCE CONSIDERATIONS: Compliance teams should document the credential collection flow in full, including encryption standards, storage duration, and deletion protocols. They should assess whether current disclosures in Plaid Link's consent interface satisfy CPRA's requirement for explicit consent to collection of sensitive personal information defined to include financial account credentials. The 2022 FTC consent order terms should be reviewed against current Link interface disclosures.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Credential collection is among the most sensitive data practices in consumer finance, and users may not realize that a financial infrastructure company, rather than just the app they are using, is receiving and handling their bank login information.
If Plaid collects your bank credentials during the connection process, those credentials are transmitted to and temporarily or persistently handled by Plaid's systems, creating exposure risk beyond the app you intentionally logged into.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Plaid.