If you've ever connected a bank account to Venmo, Robinhood, Cash App, Coinbase, or a budgeting app, you've used Plaid. They sit between your bank and the apps you use — which sounds either super useful or super scary depending on how you frame it. Here's the honest version of what Plaid does, what it can't do, and how to think about the risk.

Short answer: Plaid is the middleware that lets you give third-party apps read-only access to your bank transactions and balances. They don't have your password (post-OAuth), they don't move money themselves, and they're regulated by the same financial-data laws as your bank. But yes — adding any intermediary creates new attack surface, and you should know what.

What Plaid is

Plaid is a US-based fintech company (founded 2013, ~$13B valuation) that provides an API between consumer apps and ~12,000 banks. When you connect your bank to a third-party app, the app calls Plaid, and Plaid talks to your bank.

What this enables: an app can see your transactions, balance, and account info without the app developer building 12,000 individual integrations with every bank. That's why apps like Venmo, Robinhood, and RewardSmart can offer "link your bank" with a polished flow instead of asking you to mail in a voided check.

How it actually works

The flow you've seen — type your bank's name, log in, pick accounts — looks identical across every Plaid-powered app. Behind the scenes there are two modes:

  1. OAuth (most banks now): When you click "Connect Chase" inside an app, Plaid redirects you to Chase's actual website/app. You log in directly with Chase. Chase shows you a screen saying "Allow Plaid to access read-only transaction data?" You confirm. Chase issues a token to Plaid. Plaid never sees or stores your Chase password.
  2. Credentials (older flow, smaller banks): You enter your username and password directly into Plaid's screen. Plaid uses those credentials to log in on your behalf. This is the older, scarier-looking flow that Plaid is phasing out.

For the major US banks — Chase, Bank of America, Wells Fargo, Capital One, Citi, etc. — it's almost always OAuth now. You're logging into your bank, not into Plaid.

What Plaid can do once connected

Plaid (and through Plaid, the app you connected) can:

  • Read your transactions — what you spent, where, when, how much
  • Read your balance — checking, savings, credit, loans
  • Read account info — account numbers, routing numbers, account types
  • Read your identity — name, address, email, phone (if the app asks for it)

What Plaid CAN'T do

This is the part most articles don't make clear:

  • Plaid can't move money. Reading is one product; payment initiation is a separate Plaid product with stricter authentication, and the app has to be explicitly approved for it. Most apps (RewardSmart included) only use the read-only side.
  • Plaid can't change your bank password or anything else about your bank account.
  • Plaid can't access accounts you didn't explicitly select when linking. If you have 4 accounts at Chase and only pick checking and one credit card, Plaid only sees those two.
  • Plaid can't share your data between unrelated apps. Connecting your bank to Venmo doesn't give Robinhood access. Each app has its own connection.

The actual risks (no fluff)

Three real ones:

  1. Plaid itself getting breached. Plaid has had security incidents (notably the 2022 class-action settlement around data collection practices). If their systems are breached, attackers could potentially access transaction data for millions of users. This is the risk of any centralized aggregator.
  2. The app you connected getting breached. If Venmo's database leaks, the bank transactions Venmo synced via Plaid could leak too. The risk lives wherever the data ends up.
  3. Phishing risk during OAuth. If a bad-actor app convinces you to log in to a fake "Chase OAuth" screen, your real credentials get captured. This is a phishing risk that exists with any login, not unique to Plaid — but worth being aware of.

Things that reduce the risk

  • Only connect to apps you trust. Plaid doesn't vet which apps can use their API beyond basic onboarding. The trust decision is yours.
  • Use OAuth (not credential entry) when offered. Always pick the bank-logo OAuth flow over typing your password directly.
  • Review connections periodically. Visit my.plaid.com — you can see every app you've ever connected and revoke any of them.
  • Enable 2FA at your bank. Even if a Plaid token got compromised, 2FA on the bank itself blocks most attack vectors.

How to disconnect

If you want to revoke access:

  1. Go to my.plaid.com and log in (uses Plaid's verification, not your bank password).
  2. You'll see a list of every app you've connected a bank to, ever.
  3. Tap any one to revoke. Plaid notifies the app, which loses access immediately.

You can also disconnect inside the app itself (RewardSmart's settings has a "Disconnect bank" button), and most banks let you revoke OAuth grants from their own security settings.

Why RewardSmart uses Plaid

Honest reason: it's the only way for a small app to integrate with 12,000 banks. The alternative is building per-bank integrations (Chase has its own API; so does Capital One; so does Citi — and each is gated to large fintechs). For an indie app to offer "link your bank" without Plaid, the answer is "you can't, practically speaking."

RewardSmart uses Plaid in read-only mode for transactions, liabilities, and account info. We don't have payment-initiation enabled. We don't sell your transaction data — we use it to figure out which card you used and which card you should have used.

Bottom line

Plaid is reasonable middleware that powers most modern fintech apps. It's not a perfect-zero-risk service — adding any intermediary adds attack surface — but the risks are knowable, manageable, and significantly smaller than people often assume. Use OAuth, review your connections, and disconnect anything you don't actively use.

If you're still uncomfortable, RewardSmart works with manually-added cards too. You'll lose auto-sync and missed-reward alerts, but the core card-recommendation features still work without ever touching Plaid.