Yeah in the last decade, I have many times considered building a service that would have a better interface and access to information by fetching it from all my financial institutions, but what's held me back is the lack of APIs and I never even considered collecting user credentials as a viable option because of the potential security nightmare and possible libabilities. I guess it pays to be ignorant of all that and just plow ahead. Once you get billions in VC funding, you can fend off any consequences.

> Plaid claims to not store this info, and I assume that they don't

Think of it as Plaid storing OAuth2 access tokens, sort of; and the tokens do expire (over pretty long periods), though, some bank integrations do allow them to generate their equivalent of refresh tokens.

Plaid didn't go into this blind; they know the tightrope they're walking. As someone who's worked with Plaid to build an integration into our product, I'd say they're definitely in a very gray area, but that's pretty much all of the Fintech space right now.

Although, I'd also say they're not malicious; even if it is just motivated by the fear of the bad press resulting in a customer exodus.