[I work at Plaid] Not to get into too much of this, but the Consumer Financial Protection Bureau has issued guidance that banks are still required to comply with the consumer protection measures provided by Reg E (and thus cannot fully disclaim liability) even when a fraudulent transfer is the result of password sharing. More info at https://www.consumerfinance.gov/compliance/compliance-resour...
Though this is still obviously not a replacement for open banking and would I still love open banking laws in the US (and hopefully better implemented / constructed than the open banking laws in Europe!)
I don't see anything that would extend the coverage to a service that is providing a read-only view into the account, or anything that mentions password sharing. I _think_ I could see what you're describing in maybe the description of the transitive nature of Regulation E to cover "non-bank payment providers", but I don't see anything that would protect me if I shared my bank password with Mint via Plaid?
I'd love to know more, and as a lay person I'm having a hard time working my way through all the language of Regulation E.
Sure. The most relevant section would be the "Error Resolution: Unauthorized EFTs" FAQ section in the link in my previous post, especially FAQs 4-8.
(Also, just to clarify how Plaid works, Plaid does not share account credentials with Plaid's customers, so you wouldn't be sharing your password with Mint via Plaid. Instead, Plaid provides token-based access to data via an API.)
After looking at those answers and reviewing the relevant parts of Regulation E that it cites, I do feel like the regulation pretty-comprehensively disallows banks to impose liability on the consumer for sharing their password. Answer 8 especially that notes that no waiver of Regulation E is allowed makes me feel more comfortable.
I'd still support an open-banking API law, but your citations here have really turned down the urgency for me on that issue.
(And, yep I'm familiar that Plaid does not share the password beyond itself and the relevant bank it's authenticating with)
Though this is still obviously not a replacement for open banking and would I still love open banking laws in the US (and hopefully better implemented / constructed than the open banking laws in Europe!)