Is it safe to connect client bank accounts via Plaid?
The short answer: yes — when it’s done through a regulated aggregator with a security-first implementation, connecting client bank accounts for statement retrieval is safer than the status quo it replaces. The client authenticates at their own bank, nobody’s credentials are shared or stored, access is read-only data access, and every retrieval is verifiable. The risk conversation should really be about email, which fails every one of those tests.
How does a bank connection actually work?
The flow that happens when a client clicks a connect link:
- The client picks their bank inside a secure flow (Plaid Link or Mastercard Open Banking Connect).
- They sign in with the bank — for most major institutions via the bank’s own OAuth page, the same pattern as “Sign in with Google.” The firm’s software never renders a password field for the bank.
- The bank issues a scoped token representing exactly the access the client approved (for our purposes: statements and account metadata).
- The aggregator hands the software that token, which is then encrypted (AES-256-GCM in StatementFlow’s implementation) and stored — the token, not credentials.
- Retrieval happens against that token, on the account’s statement cycle, with each downloaded PDF hash-verified and logged.
The client can revoke access at any time — at the bank, at the aggregator, or by asking the firm. Plaid’s own security overview and the CFPB’s open-banking rulemaking under Section 1033 are useful references for how consented data access is structured and regulated in the US.
What does “read-only” really mean?
It means the connection is data-scoped: it can retrieve documents and metadata, and cannot do anything else. No transfers, no payments, no changes at the bank. A statement-retrieval connection is closer to a librarian’s card than a key — it can fetch copies of specific records; it can’t touch the vault.
Two implications worth stating plainly to clients:
- Consent is explicit and specific. The client sees what’s being shared during connection — this isn’t scraping in the dark.
- The blast radius of a breach is bounded. Even in a worst-case token compromise, the exposure is document access — serious, but categorically different from money movement. (And a good implementation encrypts tokens at rest precisely to keep that scenario theoretical.)
How does the risk compare to how firms collect today?
| Email attachments | Shared bank login | Consented connection | |
|---|---|---|---|
| Credentials exposed | No | Yes — fully | No |
| Financial PII at rest in inboxes | Yes, indefinitely | No | No |
| MFA preserved | n/a | Defeated | Yes (bank-side) |
| Client can revoke | Can’t un-send email | Password change | One click |
| Verifiable file integrity | No | No | Yes (hash-verified) |
| Audit trail | Inbox forensics | None | Logged per retrieval |
| Bank ToS | OK | Usually violated | Sanctioned pattern |
Shared logins deserve their own sentence: never. Holding a client’s online-banking password defeats their MFA, likely violates the bank’s terms, and can shift liability for anything that happens in that account toward whoever held the credentials. The consented connection exists precisely so nobody has to do this.
Email’s problems are quieter but real — and regulators now treat them as the firm’s problem: the FTC’s Safeguards Rule and the IRS’s Publication 4557 both push professional firms toward exactly the controls in the right-hand column: encrypted transmission and storage, access controls, and monitoring. The full channel ranking is in secure ways to receive client bank statements.
What should you demand from any retrieval vendor?
The aggregator is only half the story — the software holding the tokens is the other half. The checklist we’d apply to anyone, ourselves included:
- Bank-side authentication only — the vendor never collects bank credentials.
- Encryption at rest for tokens/credentials (AES-256-class), not just “encrypted in transit.”
- Hash verification of downloaded statements, so files are provably intact.
- Role-based access + step-up auth (passkeys/WebAuthn) on connection changes.
- A real audit log — who did what, and per-statement retrieval timelines.
- Your files in your storage, so leaving the vendor never means losing the archive.
- Written security documentation they’ll actually show you.
How StatementFlow answers each line is documented publicly — and the founding-firm invitation includes exactly that security review: bring your checklist.
FAQ
Can Plaid or statement software move money from client accounts?
Does my firm see the client’s bank password?
Is a bank connection safer than the client emailing statements?
What security features should statement-retrieval software have?
Keep reading
Chris Wattinger — Founder, Scale CPA. Chris runs Scale CPA, a US accounting firm, and built StatementFlow inside the firm to kill the monthly statement chase across its own client book.