This recipe will track the progress of the Plaid integration.

Status as of January 2023: Primary development is complete. We are working now on setting up a QC sandbox for internal testing and for Plaid developers to use. We will then hand off to Plaid, although we are not privy to their plans for where/when to implement the changes on their end.

Background

In late 2022, CU*Answers concluded a very lengthy process to complete an agreement with Plaid. This agreement (CoreX Plaid Access Agreement) includes the rules for building an integration directly with the Plaid Instantly Authenticate Data system.

This engagement is the first time that CU*Answers has built a direct connection with a 3^rd party aggregator that will create a secure and direct relationship to member data. Plaid, one of the industry leaders in this realm, will use this connection to allow access to financial account data so that it can be delivered to various applications used by members such as RobinHood, Gusto, TransferWise, American Express and QuickBooks.

Our thanks to Honor CU for championing this project via the DHD.

Authentication

More than just the value of connecting member data to a wide range of applications, the Plaid integration changes the way the authentication process happens. Currently aggregators must store a member’s user name, password, and answers to challenge questions. When a member requests access to their data through a supported application, the aggregators must provide those credentials.

This approach typically requires the aggregators to screen-scrape the data and then attempt to interpret it. If the online banking interface is changed at any point, that process might be interrupted until the aggregator updates their screen-scrape settings. Once this integration project is complete, future changes we might make to our online banking platform would not cause this interruption for aggregators that use Plaid, since we’re sending specific data to their API, independent of our user interface.

One additional challenge for aggregators is the introduction of multi-factor authentication (MFA) technology. The model of storing credentials and screen scraping won’t work then, because an aggregator has no way to respond to the MFA verification. An integration with Plaid uses a much more trusted per-membership token approach for sending financial data, and that means Plaid can support MFA when added to the login process (see the separate Kitchen page for more on MFA when logging in to online banking).

Network Traffic

Part of the configuration includes new mechanisms for handling network traffic bursts. Aggregators have previously flooded our network with traffic due to misconfigurations on their side, and that can affect everyone using the online banking system. We are developing an automated response to shunt overflow traffic and allow members to connect. We negotiated throttling language into the Plaid agreement and are building both monitoring and active throttling into our web networks that can detect, report and block traffic from specific IP addresses if maximum thresholds are hit. In other words, we’re doing our due diligence to ensure that our online banking system keeps running smoothly even after this new integration is implemented.

Your chef for this recipe:  Dawn Moore and Brian Mauer