TLDR
Four companies — Plaid, MX, Yodlee, and Finicity — process most US consumer bank connections for finance apps. They differ meaningfully on how they authenticate, what data they retain, and whether they've sold that data. The CFPB rule that would have mandated API-first access and prohibited data sales was frozen by court injunction in October 2025. Understanding which aggregator an app uses tells you more about its data practices than the app's privacy page does.
- Screen Scraping
- An authentication method where the aggregator stores a user's banking username and password, logs in to the bank's website on the user's behalf, and parses the HTML to extract account data. Screen scraping gives the aggregator the same access as the user — not read-only. It also requires storing credentials, which creates breach risk.
DEFINITION
- OAuth / Token-Based API Access
- An authentication method where the user authorizes a specific app to access their bank data, and the bank issues a time-limited, scoped token to the aggregator. The token grants only the permissions the user authorized (typically read-only) and can be revoked without changing the user's password. This is the more secure, modern approach.
DEFINITION
- Credential Storage
- When an aggregator stores a user's actual banking username and password to enable ongoing data access. Screen scraping requires credential storage; OAuth-based access does not. Apps built on credential-storing aggregators create a single point of failure: a breach of the aggregator exposes bank credentials for every connected user.
DEFINITION
- FDX Standard
- Financial Data Exchange — an industry consortium that developed a common API standard for consumer financial data sharing. FDX enables direct bank-to-app connections without credentials changing hands. As of January 2025, FDX is recognized as an industry standard body, with 94 million consumer accounts connected via FDX-compliant APIs.
DEFINITION
Why Four Companies Process Most of Your Bank Data
When you connect a bank account to a finance app — Monarch Money, YNAB, Copilot, Empower, or dozens of others — the app almost certainly does not talk to your bank directly. It talks to one of four companies: Plaid, MX, Yodlee, or Finicity. These financial data aggregators handle the authentication, retrieve the data, and pass it to the app.
This intermediary layer is invisible to most users. It’s also where the meaningful differences in data practices, security architecture, and privacy risk actually live.
The Four Aggregators
Plaid
Plaid is the most recognized name because it dominates the fintech-facing market. Most consumer finance apps you’ve heard of use Plaid — its network covers thousands of financial institutions.
Plaid’s history with data practices is complicated. The 2022 $58M class action settlement (In re Plaid Inc. Privacy Litigation, N.D. Cal.) alleged that Plaid’s Link product displayed bank-branded login screens that led users to believe they were logging into their bank, then used those credentials to access years of transaction data beyond what users intended to share.
Post-settlement, Plaid’s data practices changed significantly. The settlement required enhanced disclosures and data minimization. Plaid has also migrated the majority of connections away from credential-based screen scraping toward OAuth APIs.
Plaid also launched my.plaid.com — a portal where users can view every app connected to their financial accounts via Plaid and revoke access. This is meaningful infrastructure for users who want visibility into what they’ve authorized.
What Plaid does not do (post-settlement, per its privacy policy): sell transaction data to third parties for advertising or investment purposes. Plaid’s business model is SaaS fees charged to the apps that use its API — not data monetization.
Plaid’s estimated ARR was $390M in 2024, with a secondary-market valuation of $6.1B in April 2025 (down from a $13.4B peak). The business is large and the API infrastructure is mature; the compliance and security posture has improved, but the credential-storage era is recent history, not ancient.
MX
MX is less consumer-visible than Plaid but has deeper penetration in the bank-to-bank space. Where Plaid powers consumer fintech apps, MX powers the data infrastructure of banks and credit unions themselves — the transaction categorization, account aggregation, and financial health tools that banks offer their own customers.
MX’s data practices are less publicly scrutinized than Plaid’s, partly because it operates further from the consumer layer. No major public lawsuits or data sales have been reported. MX does not sell transaction data to third parties. Its SOC 2 Type II certification covers security controls.
MX has been candid about one vulnerability: credential stuffing attacks. In technical documentation, MX acknowledged that “the only type of attack most aggregators are truly vulnerable to is credential stuffing” — where attackers use stolen username/password combinations from other breaches to access aggregated financial data. OAuth migration reduces but does not eliminate this risk.
Finicity (Mastercard)
Finicity was acquired by Mastercard in 2020 for approximately $825M. The acquisition has meant Finicity operates under Mastercard’s compliance and data governance standards — different from an independent aggregator optimizing for data monetization.
Finicity’s OAuth-first migration predates the Mastercard acquisition; it was an early mover on API-based access. The Mastercard integration means Finicity’s data handling is subject to enterprise-level data governance standards. No reported data sales or class actions.
Finicity’s consumer-facing presence is minimal — it primarily powers lending decisioning and financial apps via B2B integrations, not the consumer fintech apps that drive Plaid’s brand recognition.
Yodlee (Envestnet / STG)
Yodlee is the oldest of the four aggregators and has the most complicated history regarding data use.
The Wall Street Journal reported in August 2015 that Yodlee was selling consumer transaction data to hedge funds — including Steven Cohen’s Point72 Asset Management — at subscription rates of $50,000 to $4 million per fund per year. Products included Predictive Revenue Signals, Shopping Insights, and Corporate Data Analytics, covering 30 million or more de-identified individuals and 10 million daily transactions across 60+ industries.
Senators Wyden and Brown, along with Representative Eshoo, wrote to the FTC in January 2020: “consumers generally have no idea of the risks to their privacy that Envestnet is imposing on them.” The FTC issued a civil investigative demand in February 2020.
A class action (Wesch v. Yodlee, 2020) alleged data was distributed in “unencrypted plain text files.” Class certification was denied in October 2024 on standing grounds, not on the merits of the underlying data practices allegations.
Bain Capital took Envestnet private for $4.5B in November 2024. Yodlee was subsequently sold to private equity firm STG in September 2025. The analytics business continued under new ownership.
Aggregator Comparison
<DataTableBlock caption=“Financial data aggregator comparison — access method, API migration, data practices, and track record” headers={[“Aggregator”, “Primary Access Method”, “API Migration”, “Data Sold to Third Parties”, “Notable Incidents”]} rows={[ [“Plaid”, “OAuth APIs (legacy: credential storage)”, “~80% API as of Sept 2024”, “No (post-2022 settlement)”, “$58M class action settlement, 98M affected users; TD Bank trademark suit (2020)”], [“MX”, “OAuth APIs (majority)”, “~70% API”, “No”, “No reported data sales or breaches; credential stuffing acknowledged as primary risk”], [“Finicity (Mastercard)”, “OAuth APIs (majority)”, “~63% API pre-acquisition; higher post-Mastercard”, “No”, “No reported incidents; Mastercard data governance applies”], [“Yodlee (STG)”, “OAuth APIs + legacy scraping”, “Lower than competitors”, “Yes — hedge funds, $50K–$4M/year”, “Congressional inquiry; FTC demand; class action (certification denied on standing)”] ]} />
The FDX Standard and Direct Bank APIs
The Financial Data Exchange (FDX) is an industry-led initiative to standardize API-based data access, reducing dependence on screen scraping entirely.
FDX represents a shift where banks provide standardized APIs directly, rather than requiring aggregators to scrape or store credentials. The major banks have been moving in this direction independently — JPMorgan processed 1.89 billion API requests in a single month and established direct fee agreements with Plaid and Yodlee for API-based access, replacing the older credential-scraping model.
Two aggregators worth knowing that operate on fundamentally different models:
Akoya: Co-owned by 11 major US banks. Akoya never handles user credentials — authentication is managed by the bank, and Akoya routes the resulting token. Because the banks own Akoya, there is no commercial incentive to monetize the data externally. Coverage is narrower than Plaid but the trust model is different by design.
Tink (Visa): European-origin aggregator now owned by Visa, operating primarily under PSD2 (the EU open banking regulation). PSD2 mandated API-based access and prohibited credential storage in Europe years before the US attempted equivalent regulation. Tink’s presence in US markets is limited but expanding.
What This Means When Choosing a Finance App
The aggregator an app uses is not always publicly documented, but there are ways to find out:
- Check the app’s privacy policy for mentions of Plaid, MX, Finicity, or Yodlee
- Look for Plaid Link in the connection flow (the Plaid-branded authentication window)
- Ask support — apps using Akoya or direct bank APIs often highlight it
The business model of the finance app matters as much as the aggregator. A subscription-funded app using Plaid has different incentives than a free app using the same Plaid connection. The subscription app’s revenue comes from users — there is no commercial reason to monetize the data externally. A free app might be using the same Plaid connection but monetizing through financial product advertising or analytics.
The questions to ask before connecting accounts to any app: which aggregator does it use, does the privacy policy explicitly prohibit data sales, is the business model subscription or ad-supported, and can you revoke access at any time through both the app and your financial institution directly?
Q&A
What is Plaid and how does it access my bank data?
Plaid is the most widely used financial data aggregator in the US, processing connections for thousands of finance apps. Historically, Plaid used screen scraping — storing credentials and logging into bank websites on behalf of users. Since a $58M class action settlement in 2022 and ongoing regulatory pressure, Plaid has migrated the majority of connections to OAuth-based APIs, where the bank issues a token instead of Plaid storing your password. As of September 2024, Plaid reported that 80% of traffic ran on or was committed to APIs. Plaid does not sell your transaction data; post-settlement data minimization requirements restrict how long and why data is retained.
Q&A
Did Yodlee really sell my transaction data to hedge funds?
Yes. Yodlee sold consumer transaction data to hedge funds including Point72 Asset Management. Products including Predictive Revenue Signals and Shopping Insights covered 30M+ de-identified individuals at subscription rates of $50,000 to $4 million per fund per year. The Wall Street Journal broke the story in August 2015, four days before Envestnet announced a $590M acquisition of Yodlee. Yodlee was subsequently sold to private equity firm STG in September 2025, and its analytics business continued. The CFPB rule that would have prohibited this practice is currently frozen.
Q&A
What is the CFPB 1033 rule and why is it frozen?
The CFPB's Section 1033 rule, finalized in October 2024, would have required financial institutions to provide OAuth-based API access to consumer data, mandated 99.5% uptime for data access, required 24 months of transaction history, and prohibited covered entities from selling consumer data collected under data access authorization. In October 2025, a federal court issued an injunction blocking the rule, and it is currently under reconsideration. The consumer protections it would have mandated are not in effect.
Q&A
What is Akoya and how is it different from Plaid?
Akoya is a data access network co-owned by 11 major US banks (including JPMorgan, Bank of America, Wells Fargo) that was specifically designed to eliminate credential storage. Akoya never touches user credentials — the bank handles authentication and Akoya routes the data token. Because the banks own Akoya, there is no incentive to monetize the data for external sale. It covers fewer apps than Plaid but offers a fundamentally different trust model.