September 11, 2025
Setting the Standard for Safer, Permissioned Data Access
Financial institutions want to ensure their customers can benefit from engaging with their finances online. At the same time, they worry about whether that data is being used as intended, and whether the apps users connect to are legitimate or introduce new risk through open finance channels.
Plaid enables financial institutions and consumers to manage these risks by clearly showing how data will be accessed and enabling them to view and manage these connections.
Permissioned by design
Over 150 million consumers have used Plaid to securely link their accounts from 12,000+ financial institutions. With every connection, they review simple consent screens that show which accounts will be shared.
Plaid’s user consent safeguards are anchored in three principles:
Transparency: Users clearly see the app they’re connecting to, Plaid’s involvement, and the scope of accounts before authorizing a connection.
Data minimization: Plaid will only share the data an app needs, even if the financial institution API returns more. For example, if an app only needs a checking account to enable ACH payments, we won’t share unnecessary data, like the user’s credit card account.
Enforcement: Plaid enforces guardrails so apps can only use the data types that both the consumer and Plaid have approved. Apps can’t retroactively pull unapproved data, and they can’t access accounts that weren’t explicitly permissioned during onboarding.
Consumers can always see which apps they’ve connected to, what data those apps accessed, and revoke access at any time via Plaid’s consumer portal, or alternatively, they can revoke access directly through the third party app. Additionally, financial institutions can empower consumers to view and manage Plaid connections in their own consumer portal. Regardless of where consumers choose to manage consent, Plaid’s permissions system keeps the ecosystem in sync — giving them a single source of truth and ongoing control.
The result: customers understand and can control what they share, and financial institutions can be confident that data is shared with their permission.
Visibility and control for financial institutions
User consent is only one piece of the puzzle. Financial institutions also need to understand the apps that their customers are connecting to, as well as have visibility into the specific connections their customers have made.
Plaid’s answer to this is App Directory and Permissions Manager, which enable financial institutions to access:
A clear view of every app their customers connect through Plaid.
Details of every customer connection including when the connection was made and what data was shared.
Receive real-time notifications of new connections.
Direct controls for financial institutions and their customers to stop data sharing.
These products are available with no code in Plaid’s Data Partner Dashboard or through APIs that financial institutions can embed into their consumer web and mobile apps.
Using Plaid, financial institutions don’t have to stitch together a solution for safe data sharing. We’ve built a unified system that brings transparency and control directly to financial institutions and their customers.
Securing each connection
At Plaid, user consent is backed by strong security measures that protect every connection from start to finish. Before data ever reaches an app, Plaid runs multiple layers of fraud checks, enforces authentication standards, and ensures users have clear visibility and control.
Plaid’s security measures at link initiation and during the user flow include:
Authentication and credential validation: Plaid Link manages login and MFA steps using industry standard protocols, ensuring users authenticate securely at their bank.
Secure redirection with OAuth: For institutions that support OAuth, Plaid securely redirects users to their financial institution for authentication, safeguarding token exchanges and redirect validations.
Session and token security: Each connection uses cryptographically secure tokens, with strict server-side exchange requirements to protect ongoing access.
Returning user protections: When users choose to be remembered, Plaid verifies phone number and device consistency and is deploying biometric or passkey authentication for safer re-connections.
Security notifications: Consumers receive real-time alerts each time a new connection is made, giving them immediate visibility and the ability to flag anything they don’t recognize.
This approach combines proactive monitoring, app-level transparency, and consumer alerts, giving financial institutions confidence that open finance connections are safe by default.
Setting the standard
Trust and safety are at the core of Plaid’s infrastructure for open finance. 1 in 2 adults in the US have linked and authorized an account through Plaid, trusting us to power secure connections with their financial institutions. At Plaid, there are many engineering teams, in addition to security, legal, and risk teams, dedicated to creating and delivering on Plaid’s promise of data security.
For financial institutions and consumers, this means every connection is built on transparency and control. Together, Plaid makes it possible to:
Ensure consumers share data only with explicit and revocable permission.
Give financial institutions visibility into every connection, with the ability to act on it.
Mitigate against fraudulent or risky actors at scale.
By embedding these safeguards across every layer of the open finance experience, Plaid helps financial institutions deliver on their promise of trust and safety for their customers.
Want to learn more about Plaid’s approach to consent, governance, and data safety? Reach out to your Data Partner Representative or connect with us at openfinance@plaid.com.