This recipe will track the progress of the Plaid integration. Both It’s Me 247 and BizLink 247 are included in this project.
Status as of September 2023: We are currently in beta-testing with several credit unions, verifying and monitoring network traffic and access. After that period is complete, Plaid will be turned on for all credit unions throughout the fall. The integration will be activated for all credit unions unless specifically opted out (opt out forms are due September 1, 2023). See the Client News announcement sent to all CUs on August 18, 2023.
As with any vendor integration we introduce, your credit union is still responsible for doing your usual due diligence on the overall vendor and how it fits with your member products and services. Learn more at https://plaid.com/safety/.
Why Plaid for your members?
In a nutshell: Members are wanting to connect to their accounts from apps and sites across the Internet. Our integration with Plaid provides a single connection that connects to thousands of those apps. Members already do this today, but it requires them to manually enter credentials and information about your credit union in order to get connected. Changes in the future (password changes, adding MFA, changes to the online banking app itself) mean the member has to maintain those settings in every app.
By connecting to Plaid via a dedicated interface, the member will immediately see your CU name in thousands of apps they interact with every day. And they can set it and forget it: once they authenticate to get the connection set up, that connection won’t be affected by future changes to their credentials or our online banking application.
Background
In late 2022, CU*Answers concluded a very lengthy process to complete an agreement with Plaid. This agreement (CoreX Plaid Access Agreement) includes the rules for building an integration directly with the Plaid Instantly Authenticate Data system.
This engagement is the first time that CU*Answers has built a direct connection with a 3rd party aggregator that will create a secure and direct relationship to member data. Plaid, one of the industry leaders in this realm, will use this connection to allow access to financial account data so that it can be delivered to various applications used by members such as RobinHood, Gusto, TransferWise, American Express and QuickBooks.
Our thanks to Honor CU for championing this project via the DHD.
Authentication
More than just the value of connecting member data to a wide range of applications, the Plaid integration changes the way the authentication process happens. Currently aggregators must store a member’s user name, password, and answers to challenge questions. When a member requests access to their data through a supported application, the aggregators must provide those credentials.
This approach typically requires the aggregators to screen-scrape the data and then attempt to interpret it. If the online banking interface is changed at any point, that process might be interrupted until the aggregator updates their screen-scrape settings. Once this integration project is complete, future changes we might make to our online banking platform would not cause this interruption for aggregators that use Plaid, since we’re sending specific data to their API, independent of our user interface.
One additional challenge for aggregators is the introduction of multi-factor authentication (MFA) technology. The model of storing credentials and screen scraping won’t work then, because an aggregator has no way to respond to the MFA verification. An integration with Plaid uses a much more trusted per-membership token approach for sending financial data, and that means Plaid can support MFA when added to the login process (see the separate Kitchen page for more on MFA when logging in to online banking).
Network Traffic
Part of the configuration includes new mechanisms for handling network traffic bursts. Aggregators have previously flooded our network with traffic due to misconfigurations on their side, and that can affect everyone using the online banking system. We are developing an automated response to shunt overflow traffic and allow members to connect. We negotiated throttling language into the Plaid agreement and are building both monitoring and active throttling into our web networks that can detect, report and block traffic from specific IP addresses if maximum thresholds are hit. In other words, we’re doing our due diligence to ensure that our online banking system keeps running smoothly even after this new integration is implemented.
FAQs
Q: My compliance person asked whether our decision to opt in or out affects our own Privacy Policy and disclosure to members. Should this be addressed by our disclosure regarding sharing of information to 3rd party relationships?
A: This interface simply streamlines and stabilizes the connection between a member and whatever application they’ve elected to share their own personal information with. We are not sending batches of data to Plaid ourselves. Members elect to connect by providing their credentials to a third party. As described elsewhere, they are doing this every day, day in and day out, already. What happens with their data is the same regardless of whether they are using this new, more stable interface, or doing it using the existing screen-scrape method. The only difference is that if they use this interface, it won’t get interrupted by future changes to their password, addition of multi-factor authentication to their account, etc.
Your chef for this recipe: Brian Mauer
