Skip to content
Security & trust

Is it safe to connect client bank accounts via Plaid?

By Chris Wattinger, Founder at Scale CPA · Published · Updated · 3 min read
securityplaidstatement collection

The short answer: yes — when it’s done through a regulated aggregator with a security-first implementation, connecting client bank accounts for statement retrieval is safer than the status quo it replaces. The client authenticates at their own bank, nobody’s credentials are shared or stored, access is read-only data access, and every retrieval is verifiable. The risk conversation should really be about email, which fails every one of those tests.

How does a bank connection actually work?

The flow that happens when a client clicks a connect link:

  1. The client picks their bank inside a secure flow (Plaid Link or Mastercard Open Banking Connect).
  2. They sign in with the bank — for most major institutions via the bank’s own OAuth page, the same pattern as “Sign in with Google.” The firm’s software never renders a password field for the bank.
  3. The bank issues a scoped token representing exactly the access the client approved (for our purposes: statements and account metadata).
  4. The aggregator hands the software that token, which is then encrypted (AES-256-GCM in StatementFlow’s implementation) and stored — the token, not credentials.
  5. Retrieval happens against that token, on the account’s statement cycle, with each downloaded PDF hash-verified and logged.

The client can revoke access at any time — at the bank, at the aggregator, or by asking the firm. Plaid’s own security overview and the CFPB’s open-banking rulemaking under Section 1033 are useful references for how consented data access is structured and regulated in the US.

What does “read-only” really mean?

It means the connection is data-scoped: it can retrieve documents and metadata, and cannot do anything else. No transfers, no payments, no changes at the bank. A statement-retrieval connection is closer to a librarian’s card than a key — it can fetch copies of specific records; it can’t touch the vault.

Two implications worth stating plainly to clients:

  • Consent is explicit and specific. The client sees what’s being shared during connection — this isn’t scraping in the dark.
  • The blast radius of a breach is bounded. Even in a worst-case token compromise, the exposure is document access — serious, but categorically different from money movement. (And a good implementation encrypts tokens at rest precisely to keep that scenario theoretical.)

How does the risk compare to how firms collect today?

Email attachmentsShared bank loginConsented connection
Credentials exposedNoYes — fullyNo
Financial PII at rest in inboxesYes, indefinitelyNoNo
MFA preservedn/aDefeatedYes (bank-side)
Client can revokeCan’t un-send emailPassword changeOne click
Verifiable file integrityNoNoYes (hash-verified)
Audit trailInbox forensicsNoneLogged per retrieval
Bank ToSOKUsually violatedSanctioned pattern

Shared logins deserve their own sentence: never. Holding a client’s online-banking password defeats their MFA, likely violates the bank’s terms, and can shift liability for anything that happens in that account toward whoever held the credentials. The consented connection exists precisely so nobody has to do this.

Email’s problems are quieter but real — and regulators now treat them as the firm’s problem: the FTC’s Safeguards Rule and the IRS’s Publication 4557 both push professional firms toward exactly the controls in the right-hand column: encrypted transmission and storage, access controls, and monitoring. The full channel ranking is in secure ways to receive client bank statements.

What should you demand from any retrieval vendor?

The aggregator is only half the story — the software holding the tokens is the other half. The checklist we’d apply to anyone, ourselves included:

  • Bank-side authentication only — the vendor never collects bank credentials.
  • Encryption at rest for tokens/credentials (AES-256-class), not just “encrypted in transit.”
  • Hash verification of downloaded statements, so files are provably intact.
  • Role-based access + step-up auth (passkeys/WebAuthn) on connection changes.
  • A real audit log — who did what, and per-statement retrieval timelines.
  • Your files in your storage, so leaving the vendor never means losing the archive.
  • Written security documentation they’ll actually show you.

How StatementFlow answers each line is documented publicly — and the founding-firm invitation includes exactly that security review: bring your checklist.

FAQ

Can Plaid or statement software move money from client accounts?
Not in a statement-retrieval integration. The access granted is data-scoped: statement documents and account metadata. There is no payment or transfer capability in the connection, and the client authorizes exactly what is shared, at their bank.
Does my firm see the client’s bank password?
No — that is the core design. The client authenticates directly with their bank (increasingly via the bank’s own OAuth page). The firm and the software receive a scoped access token, never credentials, and the client can revoke access at the bank.
Is a bank connection safer than the client emailing statements?
Substantially. Email scatters unencrypted financial documents across inboxes indefinitely and invites business-email-compromise fraud. A consented connection uses bank-side auth, encrypted tokens, and logged, verifiable retrieval — a categorically smaller attack surface.
What security features should statement-retrieval software have?
Minimum bar: bank-side authentication, AES-256-class encryption of tokens at rest, hash verification of downloaded files, role-based access control, step-up authentication for sensitive actions, an audit log, and files stored where the firm controls them.

Keep reading

Chris Wattinger — Founder, Scale CPA. Chris runs Scale CPA, a US accounting firm, and built StatementFlow inside the firm to kill the monthly statement chase across its own client book.

LinkedIn · About StatementFlow

Stop chasing. Start closing.

Join the early-access waitlist and be one of the founding firms that never asks a client for a bank statement again.

Get early access