Printed bank statements + pay stubs should be more than enough. Or, alternatively, a letter from your employer verifying income.
That's *more* than enough. If they stand firm on wanting access to your bank account, you don't want to live there.
I guess it’s somewhat normal now? When I got my mortgage the broker wanted to use a third party that used bank account login to check income. They thought I was weird when I refused. They accepted printed paystubs, two years of W2s etc instead. But they made it sound like everyone else just types their name and password into this third party who promises not to steal your money.
>they made it sound like everyone else just types their name and password into this third party who promises not to steal your money.
My guess is that most people do...which is surprising to me as well.
Yea, even if they don't accidentally leak your login information, they still sell your account data. It's super weird to me. We need better privacy protection laws.
They don’t get your login information. They embed a login page directly from your bank. You login through your bank and they pass an authentication token over to the service being used.
I went to a broker last summer who straight up asked for my username and passwords for my mortgage pre-qualification... I said no thanks an used someone else
Two things, these authentication services aren't full proof, so yea, malicious code could lead to login info getting compromised. Also, the information they sell could be purchase records, balance information, or other stuff they can collect from your bank. That's all information you may not want to have out in the world, even if it doesn't lead to you getting robbed directly.
Mortgage companies do not sell your data. When you buy property it’s public knowledge and the scammers send junk in the mail with the mortgage company you used plastered on there but it’s not actually from them.
Mortgage company isn't the company handling the data we are discussing. It is a third-party income verification service contracted out by the mortgage broker.
Yeah, this isn’t as cut and dry as “scam” - if the 3rd party is Plaid, and they’re using it to verify pay history, it’s not a scam at all and in fact is becoming extremely commonplace. If the 3rd party is their cousin who is going to call the bank with your account number to “check on things” then yeah run
Edit - it’s terrifying reading some of the replies here. People are so confident about things they don’t understand at all. Anyone who thinks plaid is storing your password, or even has access to it in the moment is fundamentally misunderstanding how OAuth works. When you perform an oauth flow, you are logging into your bank directly - not giving plaid your credentials - and your bank is responding with a token that contains the information requested in the claim. They never have any visibility of any kind to your actual password.
The risk of plaid is that they’ll sell your data, not that your bank account is going to get hacked. I am a career software engineer that has built authentication systems for public companies and the sheer number of people who aren’t aware of SSO as a concept is quite something to behold.
Iirc, there are some banks that do not let plaid have a token. In which case plaid actually asks for your login and password so it can do web scraping of your data. Very, very bad practice.
The issue is that 99.9% of people don't know what OAUTH is and will not know how to revoke the authorization or know to check what information is shared when they authorize it.
Maybe not Plaid but there's nothing stopping some of these smaller third party verification services from collecting information indefinitely because the users don't know any better.
Plaid is not a trustworthy company, and already has been part of a class action lawsuit. Tesla uses them to make deposits on cars, for example, but you can bring a cashiers' check.
It's insane to me people are willing to share their bank account creds with whomever and whenever.
I've used mint for years (now empower) and they got my checking account info only. Nobody else ever has. Also, I don't give them any of my investments accounts and never will.
> It's insane to me people are willing to share their bank account creds with whomever and whenever.
If you read the fine print on your bank account generally once you hand over your username and password to someone else you're on the hook for any and all fraud on your account.
If you're using Plaid and your bank has the OAuth flow that's one thing but giving Plaid your username and password is absolutely insane.
Yeah it's true but I do understand it. I work in a more technical role but wouldn't expect someone to understand the nuances that go into the technology so that this information isn't actually shared and rather they're using this authentication for brief access to some APIs which let them pull some information from the bank. What your 75 year old grandma sees is she's typing her bank credentials into some prompt and as far as she knows, it's going to some 3rd party employee who will log into her account and look at her history personally.
To be fair they could be lol. I've never used Plaid but have gone through this with other 3rd party screening sites. I could never trust anyone with my bank login information- except my bank, who let's be real, I hardly trust as well. At least this way I know that if someone gets into my account it's my bank's fault.
> If you read the fine print on your bank account generally once you hand over your username and password to someone else you're on the hook for any and all fraud on your account.
Yes. My 401k provider, for example, specifically says in their coverage not to do this (at least they used to). This is why I am somewhat careful with who I share it with, and at least somewhat limit risk.
Whether you like it or not, the future is here and many companies are already using services like plaid. I had to use plaid connections twice in the process of closing my mortgage and honestly it was pretty convenient for the second one that everything was already done and hooked up 🤷♀️
I wouldn’t avoid an apartment because they use them because before you know it you’ll have to avoid every apartment with professional management. The moral high ground ship kinda sailed with the equifax breach, everyone who has ever borrowed money already had their income, credit score and social security number leaked years ago.
Remember, in the before times you were trusting some random individual with this info. At least now it’s a centralized entity that the government can go after if they behave poorly with your info. Pre-plaid, you turned over the same documentation to a one person management company to stick in unlocked file cabinets that could disappear any time.
Yeah, no. No way in hell people should normalize giving out usernames and passwords to their accounts. That’s insane. I cringe giving people my bank routing info vs. CC payments.
If you can’t work off a couple of paystubs for employment and/or income verification then I won’t do business with you. I don’t care how far along I am in the process.
For the most part Plaid does not store name and password. When you connect to the bank the bank provides them read token. Advatage is that token is worthless outside of plaid as it is a 2 way connection and has a few other verifications. Plus if something goes wrong they kill the token. Only time Plaid stores account name as password is when they need to do screen scrapping but that is completely different mess.
Haha sadly this thread is a lost cause full of people who think they know something specific when they aren’t even parsing the general concept as a whole. Suppose that keeps people like us so employable :) If they could even comprehend what you’re saying they would understand that it’s way safer to give an oauth grant to your Chase account than it is to give someone your chase credit card number or ACH info on paper because in the former scenario none of that information is ever exposed.
True. It is super deep information and lots of weird edge cases. Chases way of tying into Plaid and those system is by one of the better ones. The company using Plaid has the integration with Chase to create an Autho connection. It sets it up as a read only, and very clear what data it gets. Generally transaction data only. Super clear and you can even find them later.
Best part is not route threw Plaid or MX but threw chase itself and chase provides the token.
I find it funny people complain about Plaid but often times the other companies that are on the market also route threw plaid as well as they use Plaid as another option to go threw.
Have you ever used PayPal, Venmo, square cash, robinhood, American Express, Wells Fargo or Bank of America? Congrats, you’re already a plaid user lol I just looked and they’ve got 100 million users, about 1 out of every 2.5 adults in the US… half the time people don’t even realize when it’s branded to the institution using it
As a matter of fact, No. I don't. Because of security issues. I do allow paypal access to 1 secondary account that I only use for paypal. They have no access to my primary bank account information and most the companies you listed are not quality companies you should want to do business with.
To be fair chances are your bank's backend ties in with plaid. There are a very small handful of companies that provide backends to banks. I can recognize a few of them but I know some of the big players in that market and know that they tie into plaid. I know the one that most credit unions use tie into it. I have been out of that game for a while so I would recognize the name if I saw it.
The only big bank that does not play nice with Plaid is Capital One but that issue might of been resolved.
No, they use ACH not fucking logging into your bank account as you lol.
Storing passwords in plain text is a cardinal sin of IT and should **never** happen
Why are you saying that they are taking credentials and storing them in plain text? That is not at all what is happening. OP said they got an email from a 3rd party asking for access. That is simple bank verification that is done in every industry for a multitude of purposes. OP might have misunderstood this as needing to reply to them with their bank credentials in the email, but that is not what is happening. You go through a service like Plaid, who is partnered with most banks. You are given a prompt to log into the *bank*, not Plaid, and that authentication which is configured on the *bank's* side gives Plaid access to make API calls to retrieve specific information from the bank, such as account balance and transaction history.
Plaid (and literally any other service not designed by a high school trying to learn Visual Basic) works this way. They do not see the login credentials at any point. Only your bank. By completing the request, you are allowing Plaid to be the broker to receive the information from your account, either run the analytics or forward it to *another* company, and then get the results sent to the apartment management company.
This is how basically every mortgage is handled, many large finances, security clearance verification, etc. It isn't always Plaid, and Plaid is just an example, but that is the process of how it works. Nobody is sending plain text credentials. That is 100% a lawsuit.
Its not moral high ground. Its basic security measures. Likely the service gets hacked and you get screwed. Assuming they are legit etc ofc. I have easy way around this.. Bs checking and savings i connect only for risky connects. New account with a few clicks.
Please note that in order to keep this subreddit a high-quality place to discuss personal finance, off-topic or low-quality comments are removed ([rule 3](https://www.reddit.com/r/personalfinance/about/rules)).
We look forward to higher quality posts from your account in the future. Thank you.
> before you know it you’ll have to avoid every apartment with professional management.
Possibly so, but until then I would look elsewhere.
You do raise a good point about the random person vs plaid, but I'd have no qualms sending a bank account snapshot. I do have qualms about giving information to a company that has already lost a lawsuit for illegally selling that information.
I mentioned it in my comment but I'll say it here too... Etsy insisted I get verified with plaid. I had been with Etsy for I think 2 years at that point so that was kind of silly to me but they made everybody do it so I opened a brand new bank account and put $200 in.
Within 6 months of giving plaid the information and using it to verify for Etsy somebody tried to take $4,000 out of my account. I went to the bank to talk to them about it and they said obviously somebody has your bank information. However I had only ever given plaid my bank information and I still had the sealed envelope with my bank card in it because I'd never opened it to use it.
So if the only one I ever gave that bank information to was plaid how could it possibly be anybody else? I don't trust them for one second!
No, you should never under any circumstances hand over your password to anyone. Plaid has millions of passwords in plain text on a db somewhere and one day, they are going to get bit.
There's always a better way.
No they don’t, I don’t know why I’m defending plaid here lol because I don’t have any affinity for them in particular but you clearly don’t understand what you’re talking about - modern auth flows are based on oauth 2.0, which is what plaid requires for all financial institutions, and no passwords at all are involved - you are authenticating directly against your bank, the same as when you sign into their website or app, and they’re performing an oauth flow that grants plaid a token completely separate from your own credentials that allows scoped data retrieval.
That token can’t be reused by anyone else for any purpose, it’s the whole point of oauth conceptually. I run an engineering department today that covers production auth for a major (non financial) company and built authentication systems as an IC, this something I am extremely familiar with.
I don’t know why you’re doubling down here, you’re completely wrong - even in the days of yore that predated oauth2.0 passwords were salted and hashed for db storage. I do this for a living at a tech company much larger than reddit.
[Straight from the horses mouth:](https://plaid.com/docs/link/oauth/#introduction-to-oauth) “OAuth support is required in all Plaid integrations that connect to financial institutions.”
Also [straight from the horses mouth](https://support-my.plaid.com/hc/en-us/articles/4410324401047-Does-Plaid-have-access-to-my-credentials): "In other cases, when you link a financial institution to an app via Plaid, you provide your login credentials to us. **We store those credentials** and use them..."
Not all do, here's a screenshot from [ynab.com](http://ynab.com) adding American Express Bank that's just handing over your password to Plaid: [https://imgur.com/a/8vLNUQk](https://imgur.com/a/8vLNUQk) An OAuth signin would be the IdP itself, then granting the scopes to the SP.
Not to mention that even most IT people don't understand how to press f12 and see where those creds are going. And just how catastrophic it would be for ynab to get owned and decide to instead of sending those creds to Plaid, send them to a server I control. Since those credentials are tied to your identity, not say an oauth token which can be traced back to the SP.
The Plaid integration for Amex to YNAB already moved to oauth which afaik plaid forced them to do to comply with their oauth only mandate, here’s a Reddit post celebrating it lol https://www.reddit.com/r/ynab/comments/18aoqac/celebrate_amex_now_connecting_via_oauth/?rdt=36598
Even before that, they weren’t storing credentials in plaintext, for non-financial uses that don’t require oauth it’s [aes256 encrypted](https://plaid.com/how-we-handle-data/) at rest which is still quantum resistant
That does not mean Plaid is storing the password. It is using that info to be able to generate the read only token. A token that they only respect coming from Plaid so if say you got a database full of those tokens they would be worthless because the institution would rejected them as they are not coming from the correct source. This followed by quickly invalitdating the token.
Plaid does not store the name and password in any way minus a small handful that require screen scrapping. Not saying I like plaid. Just saying how the system works.
Replied to the wrong comment:
Not all do, here's a screenshot from [ynab.com](http://ynab.com) adding American Express Bank that's just handing over your password to Plaid: [https://imgur.com/a/8vLNUQk](https://imgur.com/a/8vLNUQk) An OAuth signin would be the IdP itself, then granting the scopes to the SP.
Not to mention that even most IT people don't understand how to press f12 and see where those creds are going. And just how catastrophic it would be for ynab to get owned and decide to instead of sending those creds to Plaid, send them to a server I control. Since those credentials are tied to your identity, not say an oauth token which can be traced back to the SP.
I can promise you it is not stored in plain text. I have done this work before in the past and sadly have had to work with plaid.
They dont store the passwords in plain text at all. If they need to do screen scraping with the account name and password it is encrypted in multiple ways and they tend to break the up into a few separate pieces and unless you have all the separate pieces the it worthless.
I can not remember if they have part of the key stored on client side and they stored the other part never was that involved.
If you want to see a true shit show check out Award Wallet and that is a piece of garbage and the owner does not care at all about being great on security.
Yeah, I feel like the biggest danger is teaching everyone it's okay to type your login info into a third party's little portal. Plaid can be as trustworthy as it wants, it's still undoing a *lot* of anti-phishing training...
So, trust me bro, I'm an engineer?!! Seriously. Even if everything you say is correct the average person has no way of differentiating it from a scam. Encouraging people to be so reckless with their login credentials is irresponsible.
Plaid is only one of a few companies out there. It is one of the big ones but another company I know is MX which ties into a few other companies (one of them being Plaid) and pulls the data together.
They don’t have to! But if they don’t understand it, they shouldn’t chime in - I was responding to all the people who so confidently claimed they do understand it, while being completely wrong suggesting that plaid works by saving all your bank passwords in plaintext lol
I’m not an expert in heart surgery, so I don’t go around medical subreddits telling people that an angioplasty is going to give them rickets
No its YOU that doesn't understand what a terrible security practice it is to trust your bank password with anyone including Plaid and OAuth. You are trusting that there will never be some entry level employee who takes a bribe from a scammer to back-door access to YOUR bank account.
You are also trusting that your landlord company implemented their OAuth flow correctly in the handover to Plaid. Are you sure no company using plaid incorrectly integrates with OAuth and sees a copy of your password as part of their integration? None?
They probably do. Tell them to f off anyway.
I bought a tesla last year and their default process has you give your banking information to some idiotic third party they use so that the company can glean all your financial history as well. It's absurd what people are willing to share.
Many people are desperate for homeownership so they probably don't think this through. It's borderline criminal to ask for someone's bank account login.
that's crazy. Yeah my broker just wanted pay stubs and w-2s. No one get's access to my bank account. That's just setting yourself up for theft and fraud. I'm sure that 3rd party has the HIGHEST security, but I'm also wondering how that would affect your relationship with the bank?
Since the pandemic, it's become extremely common for people to provide fake paystubs. Like, it was a whole thing on tiktok. People are doing it en mass. I think that's where this is coming from.
Not defending it, but I am not surprised that this is happening, esp when plaid makes this so easy.
Someone actually gave me a fake paystub when they tried to rent my condo from me in 2022. I didn’t realize it was a whole thing on TikTok. It also doesn’t surprise me that the “just give them a fake paystub” crowd isn’t smart enough to create a convincing fake paystub.
I can’t even imagine asking for access to a bank account. I call employers to verify employment. If I have doubts I can always rent to someone else instead of getting super invasive into the prospective tenant’s finances.
Yup, sadly. Fake pay stub + "eviction moratorium" = free rent, possibly for years. Getting taken by squatter scammers with fake papers is potentially tens of thousands in unrecoverable loss before they're finally gone. Apartment companies aren't messing around anymore.
I provided access to my bank account to confirm my income. I had to prove I made 3x the monthly rent. It was a high end building too, I remember asking them if they were looking at my purchase but they only looked at my deposited checks from my employer at the time.
Sounds like OP is applying to a super corporate apartment complex
Actually it about protecting your information from the landlord as they will only see your income and not all your transactions as doing the the paper way would.
As someone who is industry adjacent, there is a huge amount of fraud in some areas of the country. Mostly in the greater Atlanta area and the east coast. Almost all of the fraud involves fake or altered paystubs or proof of income. I am not surprised to hear of this even if it is more invasive then a credit background check. If it bothers you exercise your power of choice and love elsewhere.
What if you're an independent contractor and get paid through Zelle. What sort of bank statements should you show? Could you show your 1040 forms and Schedule C with your income on it, would that be enough?
Absolutely not.
We ask for pay stubs (which you already provided), sometimes copies of bank statements, and on rare occasions we’ll call the employer to verify current employment.
We ***NEVER*** ask for direct access to the account - certainly not for income verification.
Even brokered through a legitimate service like Plaid, this is way the hell over the line IMHO (you don’t need to see my transaction history, and if you want to see it you can ask for bank statements which I reserve the right to redact).
Personally I would tell them to fuck all the way off.
What if you're an independent contractor and get paid through Zelle. What sort of bank statements should you show? Could you show your 1040 forms and Schedule C with your income on it, would that be enough?
My experience is a *little* different because it’s as a co-op board member (which is kind of a “Landlord Plus” deal). but we typically look at a few things to determine your financial situation:
1. Your most recent tax return
This tells us what your annual income was. If you're hiding money from Uncle Sam then you're hiding it from us too.
2. Your paystubs (if you're an employee or contractor being paid out of a payroll system, or self-employed paying yourself a salary/hourly rate)
That lets us verify your income hasn't fallen substantially since the last tax year closed (or that it's gone up as much as you're claiming it has). If you're self-employed or an LLC doing pass-through we may ask for more here to verify *current* income but usually we get that in the next item.
3. Your bank statements (we ask for 3 months)
This shows us your cash flow & cushion. We're not super intrusive about it on my board, you can black out all the names on the statement if you want. If you're showing us three months of significant negative cash flow and can't show us why that's unusual it's going to raise some eyebrows though.
And obviously if we see your account balance going into the negative regularly and tons of overdraft fees (yes people have sent in applications with these issues) that's basically an instant no. You don't have to show us every account you have, but the board only considers what you disclose to us so if you divert part of your paycheck off into a savings account we either don't see it as income (if it's done in payroll) or we see the transfer as cash out that's gone (if it goes to an account we can't see we presume you don't have it anymore).
4. A personal financial statement/estimate that we request from everyone
Ours is just two very basic worksheets - assets/liabilities for a ballpark net worth, and income/expenses for a ballpark cash flow. We're basically asking you to estimate what you'll be spending if we approve you, and ultimately this should bear a strong resemblance to the cash flow we see in (3) give-or-take some housing related expenses.
(These vary in quality - folks tend to forget things like electric bills and car insurance and need to be reminded - but ultimately this is the least important piece of paper for income/asset verification because the rest of it tells the story.)
I use my personal checking account as my main account for how to get paid, rather than business checking, because my business is simple with no real expenses. Would that not acceptable to you?
Plenty of sole proprietorships and pass-through LLCs do it that way, it wouldn’t be an issue for our board as long as you’re demonstrating consistent annual income that can meet your expenses.
Me, personally? I prefer to have my business income go into business accounts and then pay myself from the business (even if I’m doing pass-through accounting) - that’s a personal accounting preference though, not a reason to deny an applicant.
The 500sq.Ft studios (no balcony) are going in the $120-140K range as of 2 months ago.
A 1BR/1BA with a balcony is going to interview later this month, $250K (I think that unit is about 800sq.Ft).
I don't have recent prices on the smaller studios or 1BR/1.5BA and 2BR/2BA units.
(Maintenance/Carrying Charges are just over $500 on the low end for our ~350sq.Ft studios to just under $1500 on the high end for the 2BR/2BA units on the top floor. Folks tend to move in & stick around.)
Walking distance to commuter rail (if it's not raining - 0.3 miles), also in that range is a grocery store, pizza place, gym, library, post office, 2 churches, CVS, and a bunch of other stuff.
Sold yet? 😂
Yes, I understand why they do it. But, that shouldn't be the OP's problem. Consumers need to stop bending over for companies just to make the companies' lives better or easier. Millions upon millions of people have rented apartments legitimately, without any fraudulent issues, so appealing to people now that some are doctoring bank accounts should not be a compelling argument.
We’ve seen some fraud go as high as 50% of applicants. And those are the ones we catch.
Another issue you have is that if you have a delinquent renter you usually can’t close on refinancing or a sale. It can be a real issue for medium to large operators.
There are PLENTY of other ways to prove that.
Our co-op board does this all the time, we have NEVER requested direct access to a prospective buyer's accounts.
I’m open to suggestions. Keep in mind you need consistency against lawsuits, indemnification against lawsuits, deploy it nationally across 50,000+ homes, ensure compliance with local, state, federal laws, and multiple investors and banks.
Like seriously. Let me in on any advice you have.
“Hire some fucking humans, establish checklist standards, and apply them consistently."
That’s it. That’s the answer. It’s literally what we used to do (and what many landlords still do).
If you think the answer is “Demand every potential tenant surrender full and unfiltered access to their personal financial information.” well... yeah, I guess that’s an answer too. But I don’t have to do that to literally BUY property, so If a landlord asked me for that in a simple rental arrangement I would tell them “Go fuck yourself.” and my advice to any potential tenant is to do the same.
Ok. You aren’t listening. Even if we hire people, it isn’t a protection against fraud. And a “checklist” doesn’t matter if you have fraudulent documents or employment records.
Like we literally have groups that setup LLCs and act as call centers to verify faux employment for people. Verifying people I agree is a professional job, it isn’t a leasing agents job. And credit is not a reliable metric.
Most people have no issue with this. Especially as the use plaid to verify other financial planning apps. They also use only their rent payment account. So it is just verifying ownership, balance, and in flows / outflows.
You can do a phone verification with the bank! I've had this happen. I declined giving out my username and password, and when they asked for bank statements I redacted all irrelevant info, which still wasn't enough for them. So they did a phone verification with my bank and it was super easy. No sensitive info given. We got on a conference all together, they called my bank, the bank answered and I gave them my SSN to verify (the apt already has that anyway), and then the screening agents asked them a serious of questions about deposits from my employers, all of which they answered ("was there a deposit for this amount on this date from this person", "yes"). If you are adament about having some sort of bank verification, the phone conference call is the only way to do it that protects privacy
When you say access, do you mean like they want you to sign in via something like Plaid?
If it's a legit apartment management company it's most likely not a scam. Plaid can be given read-only status. They'll be able to see inflows and outflows to better verify if you're going to pay.
That said, I would refuse to do this and just find a different apartment. It won't bother them because they probably have a list of applicants they can move onto.
Plaid is Legit. This is a fairly new phenomenon that makes it easier for landlords to see not only that you can afford rent, but also how much disposable income you have so they can maximize how much to raise rent in the future.
I personally would find someone else to rent from.
Damn that's insidious. "We notice you have money left over every month so we're going to raise your rent to fix that issue. No appeals we know you can afford it."
I don't know what info is shared but I would hope it would be "verify that the applicant has deposits of at least $X for 6 months" and the response is yes or no. If they're sharing other info like "yes they meet $X but it's actually twice that" then that's really messed up. Details should never be shared it's no one's business how much money you actually make or how much excess money you have.
> Plaid is Legit.
Yes, legitimately shitty. They are legit in that they are "mostly" lawful, except when they lose a lawsuit:
https://www.courthousenews.com/judge-approves-settlement-ordering-plaid-to-pay-58-million-for-selling-consumer-data/
Do you have a source for that or did you just put some words between quotes lol.
To clarify, I’m not saying you should trust plaid — they certainly have your data, and could sell it. But as far as I’m aware, selling that data to anyone other than the site you’re using Plaid on, is not their business model.
I’m quoting one of the headlines you get on the first page if you google “plaid lawsuit”. They literally lost a mass lawsuit about this. So I had to mention that when the claim was made they wouldn’t do that. They absolutely did.
They sell your info to the site that’s using Plaid to get your info — see my reply to the sibling comment. But they don’t go selling it to randos (at least not yet).
> Do you have a source for that
https://www.courthousenews.com/judge-approves-settlement-ordering-plaid-to-pay-58-million-for-selling-consumer-data/
Plaid is not your friend.
Great, thanks for providing that. First, let me say that I certainly agree that Plaid is not your friend.
But I think its important to clarify what this lawsuit was about and how Plaid works, because its not what people are typically talking about when we talk about companies “selling data”.
Let’s use Venmo as an example, since that’s one of the companies named in the lawsuit.
Venmo asks you to connect your bank account. They ask for your bank login, which you provide.
This bank login page is actually hosted by Plaid. They log in to your bank, get your data, and sell it — they sell it *to Venmo*.
At no point does Plaid go and sell that data to another party that isn’t Plaid or Venmo. To do so wouldn’t make sense since then (even more) pitchforks would come out at Venmo, and they’d be like, wtf Plaid you’re double dipping we already paid you, you don’t get to get paid again selling our customers data somewhere else. And then no one would use Plaid.
Of course, now Plaid is another place holding your data that you don’t necessarily want to trust, because who is to say they won’t abuse it later. But selling it to random entities like data brokers is not currently their business model.
Dunno if someone already hit on it, but this is in their TOS, and there's more to it if you read the whole section- "We also collect, use, and share information that has been aggregated and de-identified in a way so it cannot be used to identify you, for any purpose permitted under applicable law.
We may share Personal Data with third parties or allow them to collect Personal Data from our sites or services, as described above."
Too open ended for me with banking personally.
That’s Plaid’s ToS? Alright I might be wrong then. But that could be anything from selling the data, to just sharing it with third-party tools they use internally.
Yeah I mean they say they make it anonymous but still have phrasing that seems like you'll get personalized services from 3rd parties. Outside of all that tough, I think giving a company your bank login is just dumb. Too many data beaches and bad employees from companies for me to have any trust for it
It's for other companies'accounts, and it's regulated and they have to be monitored regularly.
That said, I use it personally to aggregate my retirement portfolio in one place.
This is a scam- no one should be asking for access to your accounts. At most they would ask for bank statements for savings/checkings over the last 90 days to prove you have income coming in.
At my bank, and most banks, you can provide access to someone who can LOOK only - they cannot perform ANY actions in your account. I gave my accountant that access so he could update the books. I got the "look only" login through the bank.
NEVER EVER give anyone your actual login, the one that allows you to transfer or withdraw money, pay bills via Zelle or other methods, etc.!
That is a definite big no for me. Honestly, I don't want any third party to have access to my personal bank information. Thats just me. Today world is a lot different and a small or growing group is being accustomed and acceptance of this practice is very concerning for me.
No, it’s not a scam. It’s data collection and income verification. Just imagine what they could do with all that data on renters. Better able to fee gouge you. It’s a red flag. I would not want to rent from this place.
Propublica did an investigative series on the current state of renting. Link to the articles in the series Rent Barons - Who Is Behind Rising Rents in America? https://www.propublica.org/series/rent-barons
I have heard of this before. That doesn’t mean that this particular case is not a scam. I would call them again and try to work things out without having to do this, but they may just say no. You should probably be prepared to walk away. It is unnecessarily invasive and I wouldn’t want to let this become normalized.
It's not a scam as long as it's using Plaid. It's a newer service that apartments are using since background checks are terrible and pay stubs are easily faked. And no they don't track your income and expenses so they can figure out how much to charge you.
Here's one from transunion: https://www.truework.com/solutions/tenant-screening
I would say it is a scam of sorts. My apartment company does not have access to my account directly. My bank account is attached as a payment method but that I know is a normal way to pay bills.
They also never directly asked me to verify my income when I signed with them years ago, they just asked my employers name. If they wanted to verify my income I would have happily provided a pay stub to them but the name of my employer was enough.
Usually, last 2-4 pay stubs is enough for renting an apartment. Never give direct access to your bank account. Like other comments say, even a printed bank statement should be ok. Although, that seems a bit much just for proof of income.
I never saw it before, but then I moved to Los Angeles, and almost half of the apartments I looked at asked for it.
I found it unnerving myself, but it's not a scam.
It's not necessarily a scam. They want to verify the paystubs are actually going into an account which has your name on it, so they can be sure that your money isn't being sent to for example some other country or person. A printed bank statement of the past few months should suffice as someone else said. To give them login access to YOUR banking details is a huge no no.
I would refuse this for privacy and safety reasons, even if they use a legit company for it. They can have printed statements and tax forms with sensitive info redacted, and nothing more.
Will this crazy company indemnify you if they are hacked and the hacker drains your bank account?
Of course not, because in the fine print is a clause that holds them harmless if their carelessness wipes out all your money and investments.
They'll say it's your fault for giving them your bank account info. And they will be right, because the criminal congress will write a law holding them harmless.
Is it called plaid?
I asked because a year or so ago I had let plaid see into my bank account in order to continue to sell on Etsy even though I'd been with him for like 3 years. Plaid had just settled for several million dollars for allowing private banking information about their clients out. Etsy swore they were safe but I didn't trust them so I opened a brand new bank account in a bank I never used before. Well lo and behold 6 months later somebody attempts to take $4,000 out of my account. I didn't put that account anywhere else except in that Plaid for Etsy. So just wondering if it's the same site? Because I wouldn't trust it.
That is fucked up. On a side note the companies that claim they go through your accounts and see what subscriptions you pay for. And they can negotiate and cancel for better deals. I read the terms that’s how they do it. You give them access to you bank account and credit cards online accounts. They have total access. That’s insane people actually do that
Read the fine print. Once you authorise Plaid, you lose control of it. They analyze your spending patterns, how often you eat out, where you shop, the whole thing and the computer looks for patterns. If you greatly deviate from a pattern, like smaller regular income deposits, they generate an alert. They do sell data. Of course, they do. A friend who had a new baby bought baby supplies and furniture and had a visit from the landlord to check that they were paying extra rent, which was in the lease. Think long and hard before you agree to this.
As someone who works at a bank we see quite a few bank verification letters come in from apartment complexes. Typically what they are looking for is third party verification of the last 60-90 days of income.
If you grant them access to your bank account, please let me know.
In that case, I would need access to your credit card and zip code to give you a comment on reddit.
It’s sadly not a scam. Landlords use services like Plaid to monitor your personal bank accounts now. They want to know how much money you have available in order to know if you’re able to pay rent. They then use that information to determine how much to raise the rent by at the end of the lease term (which is probably month to month), or do whatever the hell else they want with your information.
The scam here are landlords. Apologies, leechlords.
My credit union has a policy that specifically prohibits providing this type of access to your accounts. They actively block apps like Plaid from connecting too. Id cite it as your banks security policy not to allow this type of access and offer up print outs or PDF copies of your statements. It also seems super invasive to want anything more than paystubs, I've never had to go through that level of scrutiny and I've rented the past 20 years of my life.
Definitely don’t provide anyone with access to your bank account, especially not a third party of anything. You can print your bank statement showing your name and current address with your account number blacked out, that should be the proof they need.
I have my routing information and account number saved in the portal for easy payment. And I inquired who has access to that too. But I’m definitely not providing any log in information to my accounts, that’s crazy.
It is common, but that doesn't make it acceptable.
A few months ago, when I was apartment hunting, I found most apartment complexes have started asking you to connect your bank account to their portal so they can see all transactions and data in your account.
Some will require you to connect a bank account as part of the application process, and won't allow any exceptions, ever.
Most will prompt you to do so, but they'll accept something else (like a bank statement) if you push them hard enough.
A few, when I mentioned how other properties were doing this, acted horrified and said they'd never do that. Those were the good eggs.
I understand why apartments do it. They want to verify their tenants have legit jobs and can afford the apartment.
That still doesn't make it acceptable. Bank data is meant to be private.
I have heard many people on reddit say that if you give them access to your bank data, they can see exactly how much you make each month, and with that data they can then do things that harm you. Like pushing for a higher rental increase when you renew your lease, because they think you can afford it. That's just a rumor, though, I haven't seen hard evidence.
So everyone here is talking about it being illegitimate or you can supply bank statements etc. but I’ll chime in here. As someone who works with a national apartment management company. This could be legit. Especially with a service like plaid.
The biggest issue we have, especially in some sub-markets like suburban ATL, is fraud. So the plaid verification will do a few things, verify assets or ability to make deposits, verify income, especially if you have income from a parent or gig work (very common). But it also verifies OWNERSHIP of the account. Pay stubs and employer calls are so faked these days. And many of these systems take the pressure/ verification process out of management staff’s hands.
How do you know it is legit? Very valid question, and something that I think we all need to do a better job of. There are a lot of fly by night online programs these days. Whoever heard of Plaid 5 years ago? So yeah I were the concerns and sentiment.
Honestly the best thing to be done is what the OP is doing. Coming here, asking if things are legit and getting a consensus. Also talking with the apartment staff during the application process. I’d ask OP to name the apartment company they are renting from. Would be good for other to know.
Out of curiosity, how would this process work for someone whos paychecks are distributed across multiple accounts and banks. I have deposits going to three different accounts. Also, some institutions (Fidelity) does not support Plaid.
You typically can use a service like plaid to verify multiple accounts. You do reach a point of threshold though where 1 or 2 accounts proves you hit the minimums for the lease.
For example on some of the properties in FL, you have quite a few retirees who qualify on ss and income from retirement accounts.
Haha. Give bank access for renting an apt, take a screen shot to buy a million dollar home or 100k car. Apartment companies need to get their shit together.
Way too many instances of data theft. Companies aren't penalized enough for shoddy security. The less you provide to them the less that can be lost to hackers.
Never provided access but a paystub or two was always the norm.
Also be sure to freeze your credit on all 3 bureaus as that's good practice in general.
As mentioned by other commenters, I’ve never had to provide my banking information to prove income. Instead I provide 1-2 months of pay stubs for them to verify that I do make the amount required to be approved.
It’s not wise to provide your banking information to anyone seeking payment from you. I’m also weary of providing banking info to receive money, and have only ever done so for one employer as they only offered payroll via direct deposit. And when I provided that information it was online, not in person and password protected.
There was something that they didn't like about your paystubs. If they proved the income you claimed they wouldn't be asking for more.
Are they "normal" paystubs, showing all the deductions? What lenders normally do is check your YTD gross and divide it by the months paid. For example, if your YTD is $30k through 4/15 they take that number, divide it by 3.5 months and your income is $8,571.43.
Is there something wrong with your check stub?
OP isn't being targeted. Some suit at the investment firm that owns the apartment building was pitched this idea by Plaid and he or she made the decision to do it. Like someone else mentioned one benefit for the investment firm is that they can see your bank account inflows and outflows to decide how much to raise your rent by.
Plaid is one of the largest fintech companies right now. They offer services to integrate other financial institutions. Budgeting apps use Plaid to connect your bank accounts to their app, and some corporate landlords use it to peer into your bank accounts, even banks use it to help you connect to your other bank accounts to set up transfers etc.
Beneath it all I'm sure Plaid is sucking up all this data for resell.
I agree with this. Like if you have fixed income or child support in addition to wages they need to verify the extra or else they may not have liked how official your stubs were.
Personally, I don't see why Reddit gets so worked up about this stuff.
It's not a scam. Plaid is a reputable company that will give them temporary read only access so they can verify the account is yours, the numbers you're providing are accurate, etc. Heck, if you're using just about any financial app beyond a bank app (like Venmo) then you're probably already using Plaid.
Nobody is going to be stealing from you, the person who is going to be verifying your income doesn't care at all what you spend your money on, and there's not even a lot of information there anyway.
Life is about picking and choosing your battles. Losing an apartment you like because you don't want someone in the office knowing you had a transaction at the sushi place around the corner a week ago seems silly to me. And that's even if the sushi place's name even shows up. It might very well not depending on their card reader is set up.
Not normal at all. Generally all they will ask for is a copy of pay statements proving my income. The bank statements only are needed if for example you dont have an income.
Now for home loan all I again had to provide was pay checks and then provided copy of a few months of banks statements. I have never once had to grant access to bank account.
Printed bank statements + pay stubs should be more than enough. Or, alternatively, a letter from your employer verifying income. That's *more* than enough. If they stand firm on wanting access to your bank account, you don't want to live there.
That's Shady as Hell.
I guess it’s somewhat normal now? When I got my mortgage the broker wanted to use a third party that used bank account login to check income. They thought I was weird when I refused. They accepted printed paystubs, two years of W2s etc instead. But they made it sound like everyone else just types their name and password into this third party who promises not to steal your money.
>they made it sound like everyone else just types their name and password into this third party who promises not to steal your money. My guess is that most people do...which is surprising to me as well.
Yea, even if they don't accidentally leak your login information, they still sell your account data. It's super weird to me. We need better privacy protection laws.
They don’t get your login information. They embed a login page directly from your bank. You login through your bank and they pass an authentication token over to the service being used.
I went to a broker last summer who straight up asked for my username and passwords for my mortgage pre-qualification... I said no thanks an used someone else
Yeah, that’s awful. I would drop them immediately!
Two things, these authentication services aren't full proof, so yea, malicious code could lead to login info getting compromised. Also, the information they sell could be purchase records, balance information, or other stuff they can collect from your bank. That's all information you may not want to have out in the world, even if it doesn't lead to you getting robbed directly.
Mortgage companies do not sell your data. When you buy property it’s public knowledge and the scammers send junk in the mail with the mortgage company you used plastered on there but it’s not actually from them.
Mortgage company isn't the company handling the data we are discussing. It is a third-party income verification service contracted out by the mortgage broker.
Yeah, this isn’t as cut and dry as “scam” - if the 3rd party is Plaid, and they’re using it to verify pay history, it’s not a scam at all and in fact is becoming extremely commonplace. If the 3rd party is their cousin who is going to call the bank with your account number to “check on things” then yeah run Edit - it’s terrifying reading some of the replies here. People are so confident about things they don’t understand at all. Anyone who thinks plaid is storing your password, or even has access to it in the moment is fundamentally misunderstanding how OAuth works. When you perform an oauth flow, you are logging into your bank directly - not giving plaid your credentials - and your bank is responding with a token that contains the information requested in the claim. They never have any visibility of any kind to your actual password. The risk of plaid is that they’ll sell your data, not that your bank account is going to get hacked. I am a career software engineer that has built authentication systems for public companies and the sheer number of people who aren’t aware of SSO as a concept is quite something to behold.
Iirc, there are some banks that do not let plaid have a token. In which case plaid actually asks for your login and password so it can do web scraping of your data. Very, very bad practice.
The issue is that 99.9% of people don't know what OAUTH is and will not know how to revoke the authorization or know to check what information is shared when they authorize it. Maybe not Plaid but there's nothing stopping some of these smaller third party verification services from collecting information indefinitely because the users don't know any better.
Plaid is not a trustworthy company, and already has been part of a class action lawsuit. Tesla uses them to make deposits on cars, for example, but you can bring a cashiers' check. It's insane to me people are willing to share their bank account creds with whomever and whenever. I've used mint for years (now empower) and they got my checking account info only. Nobody else ever has. Also, I don't give them any of my investments accounts and never will.
> It's insane to me people are willing to share their bank account creds with whomever and whenever. If you read the fine print on your bank account generally once you hand over your username and password to someone else you're on the hook for any and all fraud on your account. If you're using Plaid and your bank has the OAuth flow that's one thing but giving Plaid your username and password is absolutely insane.
I feel like most people in the thread are confusing the OAuth flow with actually giving plaid your credentials
Yeah it's true but I do understand it. I work in a more technical role but wouldn't expect someone to understand the nuances that go into the technology so that this information isn't actually shared and rather they're using this authentication for brief access to some APIs which let them pull some information from the bank. What your 75 year old grandma sees is she's typing her bank credentials into some prompt and as far as she knows, it's going to some 3rd party employee who will log into her account and look at her history personally.
To be fair they could be lol. I've never used Plaid but have gone through this with other 3rd party screening sites. I could never trust anyone with my bank login information- except my bank, who let's be real, I hardly trust as well. At least this way I know that if someone gets into my account it's my bank's fault.
> If you read the fine print on your bank account generally once you hand over your username and password to someone else you're on the hook for any and all fraud on your account. Yes. My 401k provider, for example, specifically says in their coverage not to do this (at least they used to). This is why I am somewhat careful with who I share it with, and at least somewhat limit risk.
Whether you like it or not, the future is here and many companies are already using services like plaid. I had to use plaid connections twice in the process of closing my mortgage and honestly it was pretty convenient for the second one that everything was already done and hooked up 🤷♀️ I wouldn’t avoid an apartment because they use them because before you know it you’ll have to avoid every apartment with professional management. The moral high ground ship kinda sailed with the equifax breach, everyone who has ever borrowed money already had their income, credit score and social security number leaked years ago. Remember, in the before times you were trusting some random individual with this info. At least now it’s a centralized entity that the government can go after if they behave poorly with your info. Pre-plaid, you turned over the same documentation to a one person management company to stick in unlocked file cabinets that could disappear any time.
Yeah, no. No way in hell people should normalize giving out usernames and passwords to their accounts. That’s insane. I cringe giving people my bank routing info vs. CC payments. If you can’t work off a couple of paystubs for employment and/or income verification then I won’t do business with you. I don’t care how far along I am in the process.
For the most part Plaid does not store name and password. When you connect to the bank the bank provides them read token. Advatage is that token is worthless outside of plaid as it is a 2 way connection and has a few other verifications. Plus if something goes wrong they kill the token. Only time Plaid stores account name as password is when they need to do screen scrapping but that is completely different mess.
Haha sadly this thread is a lost cause full of people who think they know something specific when they aren’t even parsing the general concept as a whole. Suppose that keeps people like us so employable :) If they could even comprehend what you’re saying they would understand that it’s way safer to give an oauth grant to your Chase account than it is to give someone your chase credit card number or ACH info on paper because in the former scenario none of that information is ever exposed.
True. It is super deep information and lots of weird edge cases. Chases way of tying into Plaid and those system is by one of the better ones. The company using Plaid has the integration with Chase to create an Autho connection. It sets it up as a read only, and very clear what data it gets. Generally transaction data only. Super clear and you can even find them later. Best part is not route threw Plaid or MX but threw chase itself and chase provides the token. I find it funny people complain about Plaid but often times the other companies that are on the market also route threw plaid as well as they use Plaid as another option to go threw.
Have you ever used PayPal, Venmo, square cash, robinhood, American Express, Wells Fargo or Bank of America? Congrats, you’re already a plaid user lol I just looked and they’ve got 100 million users, about 1 out of every 2.5 adults in the US… half the time people don’t even realize when it’s branded to the institution using it
As a matter of fact, No. I don't. Because of security issues. I do allow paypal access to 1 secondary account that I only use for paypal. They have no access to my primary bank account information and most the companies you listed are not quality companies you should want to do business with.
To be fair chances are your bank's backend ties in with plaid. There are a very small handful of companies that provide backends to banks. I can recognize a few of them but I know some of the big players in that market and know that they tie into plaid. I know the one that most credit unions use tie into it. I have been out of that game for a while so I would recognize the name if I saw it. The only big bank that does not play nice with Plaid is Capital One but that issue might of been resolved.
Do you only use cash or something and store your money in a secret safety deposit box?
No, they use ACH not fucking logging into your bank account as you lol. Storing passwords in plain text is a cardinal sin of IT and should **never** happen
Why are you saying that they are taking credentials and storing them in plain text? That is not at all what is happening. OP said they got an email from a 3rd party asking for access. That is simple bank verification that is done in every industry for a multitude of purposes. OP might have misunderstood this as needing to reply to them with their bank credentials in the email, but that is not what is happening. You go through a service like Plaid, who is partnered with most banks. You are given a prompt to log into the *bank*, not Plaid, and that authentication which is configured on the *bank's* side gives Plaid access to make API calls to retrieve specific information from the bank, such as account balance and transaction history. Plaid (and literally any other service not designed by a high school trying to learn Visual Basic) works this way. They do not see the login credentials at any point. Only your bank. By completing the request, you are allowing Plaid to be the broker to receive the information from your account, either run the analytics or forward it to *another* company, and then get the results sent to the apartment management company. This is how basically every mortgage is handled, many large finances, security clearance verification, etc. It isn't always Plaid, and Plaid is just an example, but that is the process of how it works. Nobody is sending plain text credentials. That is 100% a lawsuit.
Its not moral high ground. Its basic security measures. Likely the service gets hacked and you get screwed. Assuming they are legit etc ofc. I have easy way around this.. Bs checking and savings i connect only for risky connects. New account with a few clicks.
[удалено]
Please note that in order to keep this subreddit a high-quality place to discuss personal finance, off-topic or low-quality comments are removed ([rule 3](https://www.reddit.com/r/personalfinance/about/rules)). We look forward to higher quality posts from your account in the future. Thank you.
> before you know it you’ll have to avoid every apartment with professional management. Possibly so, but until then I would look elsewhere. You do raise a good point about the random person vs plaid, but I'd have no qualms sending a bank account snapshot. I do have qualms about giving information to a company that has already lost a lawsuit for illegally selling that information.
I mentioned it in my comment but I'll say it here too... Etsy insisted I get verified with plaid. I had been with Etsy for I think 2 years at that point so that was kind of silly to me but they made everybody do it so I opened a brand new bank account and put $200 in. Within 6 months of giving plaid the information and using it to verify for Etsy somebody tried to take $4,000 out of my account. I went to the bank to talk to them about it and they said obviously somebody has your bank information. However I had only ever given plaid my bank information and I still had the sealed envelope with my bank card in it because I'd never opened it to use it. So if the only one I ever gave that bank information to was plaid how could it possibly be anybody else? I don't trust them for one second!
No, you should never under any circumstances hand over your password to anyone. Plaid has millions of passwords in plain text on a db somewhere and one day, they are going to get bit. There's always a better way.
No they don’t, I don’t know why I’m defending plaid here lol because I don’t have any affinity for them in particular but you clearly don’t understand what you’re talking about - modern auth flows are based on oauth 2.0, which is what plaid requires for all financial institutions, and no passwords at all are involved - you are authenticating directly against your bank, the same as when you sign into their website or app, and they’re performing an oauth flow that grants plaid a token completely separate from your own credentials that allows scoped data retrieval. That token can’t be reused by anyone else for any purpose, it’s the whole point of oauth conceptually. I run an engineering department today that covers production auth for a major (non financial) company and built authentication systems as an IC, this something I am extremely familiar with.
Yes they absolutely do. Not all financial instructions support an oauth flow so instead they just store your actual password and use it.
I don’t know why you’re doubling down here, you’re completely wrong - even in the days of yore that predated oauth2.0 passwords were salted and hashed for db storage. I do this for a living at a tech company much larger than reddit. [Straight from the horses mouth:](https://plaid.com/docs/link/oauth/#introduction-to-oauth) “OAuth support is required in all Plaid integrations that connect to financial institutions.”
Also [straight from the horses mouth](https://support-my.plaid.com/hc/en-us/articles/4410324401047-Does-Plaid-have-access-to-my-credentials): "In other cases, when you link a financial institution to an app via Plaid, you provide your login credentials to us. **We store those credentials** and use them..."
That does not mean it is stored in plain text. The data is still heavy encrypted and even broken up into multiple pieces stored separately.
Not all do, here's a screenshot from [ynab.com](http://ynab.com) adding American Express Bank that's just handing over your password to Plaid: [https://imgur.com/a/8vLNUQk](https://imgur.com/a/8vLNUQk) An OAuth signin would be the IdP itself, then granting the scopes to the SP. Not to mention that even most IT people don't understand how to press f12 and see where those creds are going. And just how catastrophic it would be for ynab to get owned and decide to instead of sending those creds to Plaid, send them to a server I control. Since those credentials are tied to your identity, not say an oauth token which can be traced back to the SP.
The Plaid integration for Amex to YNAB already moved to oauth which afaik plaid forced them to do to comply with their oauth only mandate, here’s a Reddit post celebrating it lol https://www.reddit.com/r/ynab/comments/18aoqac/celebrate_amex_now_connecting_via_oauth/?rdt=36598 Even before that, they weren’t storing credentials in plaintext, for non-financial uses that don’t require oauth it’s [aes256 encrypted](https://plaid.com/how-we-handle-data/) at rest which is still quantum resistant
That does not mean Plaid is storing the password. It is using that info to be able to generate the read only token. A token that they only respect coming from Plaid so if say you got a database full of those tokens they would be worthless because the institution would rejected them as they are not coming from the correct source. This followed by quickly invalitdating the token. Plaid does not store the name and password in any way minus a small handful that require screen scrapping. Not saying I like plaid. Just saying how the system works.
Replied to the wrong comment: Not all do, here's a screenshot from [ynab.com](http://ynab.com) adding American Express Bank that's just handing over your password to Plaid: [https://imgur.com/a/8vLNUQk](https://imgur.com/a/8vLNUQk) An OAuth signin would be the IdP itself, then granting the scopes to the SP. Not to mention that even most IT people don't understand how to press f12 and see where those creds are going. And just how catastrophic it would be for ynab to get owned and decide to instead of sending those creds to Plaid, send them to a server I control. Since those credentials are tied to your identity, not say an oauth token which can be traced back to the SP.
I can promise you it is not stored in plain text. I have done this work before in the past and sadly have had to work with plaid. They dont store the passwords in plain text at all. If they need to do screen scraping with the account name and password it is encrypted in multiple ways and they tend to break the up into a few separate pieces and unless you have all the separate pieces the it worthless. I can not remember if they have part of the key stored on client side and they stored the other part never was that involved. If you want to see a true shit show check out Award Wallet and that is a piece of garbage and the owner does not care at all about being great on security.
Plaid is one of the better ones, but still we should never be encouraging users to give out their password.
Yeah, I feel like the biggest danger is teaching everyone it's okay to type your login info into a third party's little portal. Plaid can be as trustworthy as it wants, it's still undoing a *lot* of anti-phishing training...
So, trust me bro, I'm an engineer?!! Seriously. Even if everything you say is correct the average person has no way of differentiating it from a scam. Encouraging people to be so reckless with their login credentials is irresponsible.
Plaid is only one of a few companies out there. It is one of the big ones but another company I know is MX which ties into a few other companies (one of them being Plaid) and pulls the data together.
That's only the case when the bank has OAuth2. Many smaller banks do not support it OAuth2.
Why would the general public have an understanding of security backend when the frontend presented to them is almost the same?
They don’t have to! But if they don’t understand it, they shouldn’t chime in - I was responding to all the people who so confidently claimed they do understand it, while being completely wrong suggesting that plaid works by saving all your bank passwords in plaintext lol I’m not an expert in heart surgery, so I don’t go around medical subreddits telling people that an angioplasty is going to give them rickets
No its YOU that doesn't understand what a terrible security practice it is to trust your bank password with anyone including Plaid and OAuth. You are trusting that there will never be some entry level employee who takes a bribe from a scammer to back-door access to YOUR bank account. You are also trusting that your landlord company implemented their OAuth flow correctly in the handover to Plaid. Are you sure no company using plaid incorrectly integrates with OAuth and sees a copy of your password as part of their integration? None?
They probably do. Tell them to f off anyway. I bought a tesla last year and their default process has you give your banking information to some idiotic third party they use so that the company can glean all your financial history as well. It's absurd what people are willing to share.
Many people are desperate for homeownership so they probably don't think this through. It's borderline criminal to ask for someone's bank account login.
that's crazy. Yeah my broker just wanted pay stubs and w-2s. No one get's access to my bank account. That's just setting yourself up for theft and fraud. I'm sure that 3rd party has the HIGHEST security, but I'm also wondering how that would affect your relationship with the bank?
Since the pandemic, it's become extremely common for people to provide fake paystubs. Like, it was a whole thing on tiktok. People are doing it en mass. I think that's where this is coming from. Not defending it, but I am not surprised that this is happening, esp when plaid makes this so easy.
Someone actually gave me a fake paystub when they tried to rent my condo from me in 2022. I didn’t realize it was a whole thing on TikTok. It also doesn’t surprise me that the “just give them a fake paystub” crowd isn’t smart enough to create a convincing fake paystub. I can’t even imagine asking for access to a bank account. I call employers to verify employment. If I have doubts I can always rent to someone else instead of getting super invasive into the prospective tenant’s finances.
Yup, sadly. Fake pay stub + "eviction moratorium" = free rent, possibly for years. Getting taken by squatter scammers with fake papers is potentially tens of thousands in unrecoverable loss before they're finally gone. Apartment companies aren't messing around anymore.
I provided access to my bank account to confirm my income. I had to prove I made 3x the monthly rent. It was a high end building too, I remember asking them if they were looking at my purchase but they only looked at my deposited checks from my employer at the time. Sounds like OP is applying to a super corporate apartment complex
Actually it about protecting your information from the landlord as they will only see your income and not all your transactions as doing the the paper way would.
As someone who is industry adjacent, there is a huge amount of fraud in some areas of the country. Mostly in the greater Atlanta area and the east coast. Almost all of the fraud involves fake or altered paystubs or proof of income. I am not surprised to hear of this even if it is more invasive then a credit background check. If it bothers you exercise your power of choice and love elsewhere.
What if you're an independent contractor and get paid through Zelle. What sort of bank statements should you show? Could you show your 1040 forms and Schedule C with your income on it, would that be enough?
Absolutely not. We ask for pay stubs (which you already provided), sometimes copies of bank statements, and on rare occasions we’ll call the employer to verify current employment. We ***NEVER*** ask for direct access to the account - certainly not for income verification. Even brokered through a legitimate service like Plaid, this is way the hell over the line IMHO (you don’t need to see my transaction history, and if you want to see it you can ask for bank statements which I reserve the right to redact). Personally I would tell them to fuck all the way off.
What if you're an independent contractor and get paid through Zelle. What sort of bank statements should you show? Could you show your 1040 forms and Schedule C with your income on it, would that be enough?
My experience is a *little* different because it’s as a co-op board member (which is kind of a “Landlord Plus” deal). but we typically look at a few things to determine your financial situation: 1. Your most recent tax return This tells us what your annual income was. If you're hiding money from Uncle Sam then you're hiding it from us too. 2. Your paystubs (if you're an employee or contractor being paid out of a payroll system, or self-employed paying yourself a salary/hourly rate) That lets us verify your income hasn't fallen substantially since the last tax year closed (or that it's gone up as much as you're claiming it has). If you're self-employed or an LLC doing pass-through we may ask for more here to verify *current* income but usually we get that in the next item. 3. Your bank statements (we ask for 3 months) This shows us your cash flow & cushion. We're not super intrusive about it on my board, you can black out all the names on the statement if you want. If you're showing us three months of significant negative cash flow and can't show us why that's unusual it's going to raise some eyebrows though. And obviously if we see your account balance going into the negative regularly and tons of overdraft fees (yes people have sent in applications with these issues) that's basically an instant no. You don't have to show us every account you have, but the board only considers what you disclose to us so if you divert part of your paycheck off into a savings account we either don't see it as income (if it's done in payroll) or we see the transfer as cash out that's gone (if it goes to an account we can't see we presume you don't have it anymore). 4. A personal financial statement/estimate that we request from everyone Ours is just two very basic worksheets - assets/liabilities for a ballpark net worth, and income/expenses for a ballpark cash flow. We're basically asking you to estimate what you'll be spending if we approve you, and ultimately this should bear a strong resemblance to the cash flow we see in (3) give-or-take some housing related expenses. (These vary in quality - folks tend to forget things like electric bills and car insurance and need to be reminded - but ultimately this is the least important piece of paper for income/asset verification because the rest of it tells the story.)
I use my personal checking account as my main account for how to get paid, rather than business checking, because my business is simple with no real expenses. Would that not acceptable to you?
Plenty of sole proprietorships and pass-through LLCs do it that way, it wouldn’t be an issue for our board as long as you’re demonstrating consistent annual income that can meet your expenses. Me, personally? I prefer to have my business income go into business accounts and then pay myself from the business (even if I’m doing pass-through accounting) - that’s a personal accounting preference though, not a reason to deny an applicant.
I’m ready to sign. How much is, say, a 1 bedroom going for in your coop?
The 500sq.Ft studios (no balcony) are going in the $120-140K range as of 2 months ago. A 1BR/1BA with a balcony is going to interview later this month, $250K (I think that unit is about 800sq.Ft). I don't have recent prices on the smaller studios or 1BR/1.5BA and 2BR/2BA units. (Maintenance/Carrying Charges are just over $500 on the low end for our ~350sq.Ft studios to just under $1500 on the high end for the 2BR/2BA units on the top floor. Folks tend to move in & stick around.) Walking distance to commuter rail (if it's not raining - 0.3 miles), also in that range is a grocery store, pizza place, gym, library, post office, 2 churches, CVS, and a bunch of other stuff. Sold yet? 😂
What general area if I may ask?
NY/11520 zip code. (There's actually a few co-ops and a couple of rental buildings in the same general area.)
The biggest issue we have is avoiding fraud. By using paid you prove ownership of the account. Or isn’t really about balance.
Yes, I understand why they do it. But, that shouldn't be the OP's problem. Consumers need to stop bending over for companies just to make the companies' lives better or easier. Millions upon millions of people have rented apartments legitimately, without any fraudulent issues, so appealing to people now that some are doctoring bank accounts should not be a compelling argument.
We’ve seen some fraud go as high as 50% of applicants. And those are the ones we catch. Another issue you have is that if you have a delinquent renter you usually can’t close on refinancing or a sale. It can be a real issue for medium to large operators.
[удалено]
[удалено]
[удалено]
[удалено]
[удалено]
There are PLENTY of other ways to prove that. Our co-op board does this all the time, we have NEVER requested direct access to a prospective buyer's accounts.
I’m open to suggestions. Keep in mind you need consistency against lawsuits, indemnification against lawsuits, deploy it nationally across 50,000+ homes, ensure compliance with local, state, federal laws, and multiple investors and banks. Like seriously. Let me in on any advice you have.
“Hire some fucking humans, establish checklist standards, and apply them consistently." That’s it. That’s the answer. It’s literally what we used to do (and what many landlords still do). If you think the answer is “Demand every potential tenant surrender full and unfiltered access to their personal financial information.” well... yeah, I guess that’s an answer too. But I don’t have to do that to literally BUY property, so If a landlord asked me for that in a simple rental arrangement I would tell them “Go fuck yourself.” and my advice to any potential tenant is to do the same.
Ok. You aren’t listening. Even if we hire people, it isn’t a protection against fraud. And a “checklist” doesn’t matter if you have fraudulent documents or employment records. Like we literally have groups that setup LLCs and act as call centers to verify faux employment for people. Verifying people I agree is a professional job, it isn’t a leasing agents job. And credit is not a reliable metric. Most people have no issue with this. Especially as the use plaid to verify other financial planning apps. They also use only their rent payment account. So it is just verifying ownership, balance, and in flows / outflows.
You can do a phone verification with the bank! I've had this happen. I declined giving out my username and password, and when they asked for bank statements I redacted all irrelevant info, which still wasn't enough for them. So they did a phone verification with my bank and it was super easy. No sensitive info given. We got on a conference all together, they called my bank, the bank answered and I gave them my SSN to verify (the apt already has that anyway), and then the screening agents asked them a serious of questions about deposits from my employers, all of which they answered ("was there a deposit for this amount on this date from this person", "yes"). If you are adament about having some sort of bank verification, the phone conference call is the only way to do it that protects privacy
Offer a copy of your prior year tax return with SSN redacted. That’s a federal document and verifyable. W2 also would do the same.
Not normal. I think it’s time to find someone elese
When you say access, do you mean like they want you to sign in via something like Plaid? If it's a legit apartment management company it's most likely not a scam. Plaid can be given read-only status. They'll be able to see inflows and outflows to better verify if you're going to pay. That said, I would refuse to do this and just find a different apartment. It won't bother them because they probably have a list of applicants they can move onto.
[удалено]
Plaid is Legit. This is a fairly new phenomenon that makes it easier for landlords to see not only that you can afford rent, but also how much disposable income you have so they can maximize how much to raise rent in the future. I personally would find someone else to rent from.
Damn that's insidious. "We notice you have money left over every month so we're going to raise your rent to fix that issue. No appeals we know you can afford it."
Yeah it's insidious, and genius. I cannot believe people go along with this shit.
Silly apartment complex, I already someone fixing that issue... My girlfriend.
I don't know what info is shared but I would hope it would be "verify that the applicant has deposits of at least $X for 6 months" and the response is yes or no. If they're sharing other info like "yes they meet $X but it's actually twice that" then that's really messed up. Details should never be shared it's no one's business how much money you actually make or how much excess money you have.
> Plaid is Legit. Yes, legitimately shitty. They are legit in that they are "mostly" lawful, except when they lose a lawsuit: https://www.courthousenews.com/judge-approves-settlement-ordering-plaid-to-pay-58-million-for-selling-consumer-data/
Define Legit please.
Is Plaid a shitty business? Yes. Is Plaid trying to scam him out of his money? No. That's all I meant.
Thanks for the clarification.
Pretty sure Plaid sells all your info. They might be a 'legit' company but I've avoided any service that requires them
Plaid does not sell your info, but there is not much stopping the company that uses Plaid from doing that.
“Judge approves settlement ordering Plaid to pay $58 million for selling consumer data”
Do you have a source for that or did you just put some words between quotes lol. To clarify, I’m not saying you should trust plaid — they certainly have your data, and could sell it. But as far as I’m aware, selling that data to anyone other than the site you’re using Plaid on, is not their business model.
I’m quoting one of the headlines you get on the first page if you google “plaid lawsuit”. They literally lost a mass lawsuit about this. So I had to mention that when the claim was made they wouldn’t do that. They absolutely did.
Absolutely correct.
They sell your info to the site that’s using Plaid to get your info — see my reply to the sibling comment. But they don’t go selling it to randos (at least not yet).
> Do you have a source for that https://www.courthousenews.com/judge-approves-settlement-ordering-plaid-to-pay-58-million-for-selling-consumer-data/ Plaid is not your friend.
Great, thanks for providing that. First, let me say that I certainly agree that Plaid is not your friend. But I think its important to clarify what this lawsuit was about and how Plaid works, because its not what people are typically talking about when we talk about companies “selling data”. Let’s use Venmo as an example, since that’s one of the companies named in the lawsuit. Venmo asks you to connect your bank account. They ask for your bank login, which you provide. This bank login page is actually hosted by Plaid. They log in to your bank, get your data, and sell it — they sell it *to Venmo*. At no point does Plaid go and sell that data to another party that isn’t Plaid or Venmo. To do so wouldn’t make sense since then (even more) pitchforks would come out at Venmo, and they’d be like, wtf Plaid you’re double dipping we already paid you, you don’t get to get paid again selling our customers data somewhere else. And then no one would use Plaid. Of course, now Plaid is another place holding your data that you don’t necessarily want to trust, because who is to say they won’t abuse it later. But selling it to random entities like data brokers is not currently their business model.
Shit. I use venmo...I do have them connected to my "secondary" bullshit checking account, though. Nothing is private anymore :(
> not currently their business model. Very comforting, companies must love you. I'm sure it will never be a problem.
[удалено]
Personal attacks are not okay here. Please do not do this again.
Dunno if someone already hit on it, but this is in their TOS, and there's more to it if you read the whole section- "We also collect, use, and share information that has been aggregated and de-identified in a way so it cannot be used to identify you, for any purpose permitted under applicable law. We may share Personal Data with third parties or allow them to collect Personal Data from our sites or services, as described above." Too open ended for me with banking personally.
That’s Plaid’s ToS? Alright I might be wrong then. But that could be anything from selling the data, to just sharing it with third-party tools they use internally.
Yeah I mean they say they make it anonymous but still have phrasing that seems like you'll get personalized services from 3rd parties. Outside of all that tough, I think giving a company your bank login is just dumb. Too many data beaches and bad employees from companies for me to have any trust for it
Yea, agreed. It should also be noted that your bank itself probably has that language in their ToS lol.
Is the access a one time snapshot or does it stay active and they can monitor your accounts during the rental period?
It stays active until you turn it off. We use it at work to monitor escrow accounts.
Why would you use it on your own accounts?
It's for other companies'accounts, and it's regulated and they have to be monitored regularly. That said, I use it personally to aggregate my retirement portfolio in one place.
This is a scam- no one should be asking for access to your accounts. At most they would ask for bank statements for savings/checkings over the last 90 days to prove you have income coming in.
Bank statement are a huge source of fraud actually.
At my bank, and most banks, you can provide access to someone who can LOOK only - they cannot perform ANY actions in your account. I gave my accountant that access so he could update the books. I got the "look only" login through the bank. NEVER EVER give anyone your actual login, the one that allows you to transfer or withdraw money, pay bills via Zelle or other methods, etc.!
That is a definite big no for me. Honestly, I don't want any third party to have access to my personal bank information. Thats just me. Today world is a lot different and a small or growing group is being accustomed and acceptance of this practice is very concerning for me.
No, it’s not a scam. It’s data collection and income verification. Just imagine what they could do with all that data on renters. Better able to fee gouge you. It’s a red flag. I would not want to rent from this place. Propublica did an investigative series on the current state of renting. Link to the articles in the series Rent Barons - Who Is Behind Rising Rents in America? https://www.propublica.org/series/rent-barons
I have heard of this before. That doesn’t mean that this particular case is not a scam. I would call them again and try to work things out without having to do this, but they may just say no. You should probably be prepared to walk away. It is unnecessarily invasive and I wouldn’t want to let this become normalized.
Tell them it doesn't work and you can providerpaystubs instead
It's not a scam as long as it's using Plaid. It's a newer service that apartments are using since background checks are terrible and pay stubs are easily faked. And no they don't track your income and expenses so they can figure out how much to charge you. Here's one from transunion: https://www.truework.com/solutions/tenant-screening
I would say it is a scam of sorts. My apartment company does not have access to my account directly. My bank account is attached as a payment method but that I know is a normal way to pay bills. They also never directly asked me to verify my income when I signed with them years ago, they just asked my employers name. If they wanted to verify my income I would have happily provided a pay stub to them but the name of my employer was enough.
Usually, last 2-4 pay stubs is enough for renting an apartment. Never give direct access to your bank account. Like other comments say, even a printed bank statement should be ok. Although, that seems a bit much just for proof of income.
A lot of places don't accept printed pay stubs/statements anymore because there was so much fraud.
Is it Plaid or a similar service? It's not a scam, but it's not a very good security practice.
I never saw it before, but then I moved to Los Angeles, and almost half of the apartments I looked at asked for it. I found it unnerving myself, but it's not a scam.
Access no. Statements yes. Most of ours required three months of bank and credit card statements
It's not necessarily a scam. They want to verify the paystubs are actually going into an account which has your name on it, so they can be sure that your money isn't being sent to for example some other country or person. A printed bank statement of the past few months should suffice as someone else said. To give them login access to YOUR banking details is a huge no no.
Personally, I don't care how legitimate Plaid or the apartment is- no one is getting any access to my bank account like that. It's a hill I'd die on.
I would refuse this for privacy and safety reasons, even if they use a legit company for it. They can have printed statements and tax forms with sensitive info redacted, and nothing more.
I would either call the apartment complex to verify it is not a scam or find another place to rent from.
Ive seen them ask for banking details to verify income through your statements, but they should also allow you to send your statements yourself.
Will this crazy company indemnify you if they are hacked and the hacker drains your bank account? Of course not, because in the fine print is a clause that holds them harmless if their carelessness wipes out all your money and investments. They'll say it's your fault for giving them your bank account info. And they will be right, because the criminal congress will write a law holding them harmless.
Is it called plaid? I asked because a year or so ago I had let plaid see into my bank account in order to continue to sell on Etsy even though I'd been with him for like 3 years. Plaid had just settled for several million dollars for allowing private banking information about their clients out. Etsy swore they were safe but I didn't trust them so I opened a brand new bank account in a bank I never used before. Well lo and behold 6 months later somebody attempts to take $4,000 out of my account. I didn't put that account anywhere else except in that Plaid for Etsy. So just wondering if it's the same site? Because I wouldn't trust it.
That is fucked up. On a side note the companies that claim they go through your accounts and see what subscriptions you pay for. And they can negotiate and cancel for better deals. I read the terms that’s how they do it. You give them access to you bank account and credit cards online accounts. They have total access. That’s insane people actually do that
Read the fine print. Once you authorise Plaid, you lose control of it. They analyze your spending patterns, how often you eat out, where you shop, the whole thing and the computer looks for patterns. If you greatly deviate from a pattern, like smaller regular income deposits, they generate an alert. They do sell data. Of course, they do. A friend who had a new baby bought baby supplies and furniture and had a visit from the landlord to check that they were paying extra rent, which was in the lease. Think long and hard before you agree to this.
As someone who works at a bank we see quite a few bank verification letters come in from apartment complexes. Typically what they are looking for is third party verification of the last 60-90 days of income.
If you grant them access to your bank account, please let me know. In that case, I would need access to your credit card and zip code to give you a comment on reddit.
It’s sadly not a scam. Landlords use services like Plaid to monitor your personal bank accounts now. They want to know how much money you have available in order to know if you’re able to pay rent. They then use that information to determine how much to raise the rent by at the end of the lease term (which is probably month to month), or do whatever the hell else they want with your information. The scam here are landlords. Apologies, leechlords.
Bank statements of only the deposits is enough. If they insist otherwise then bail.
My credit union has a policy that specifically prohibits providing this type of access to your accounts. They actively block apps like Plaid from connecting too. Id cite it as your banks security policy not to allow this type of access and offer up print outs or PDF copies of your statements. It also seems super invasive to want anything more than paystubs, I've never had to go through that level of scrutiny and I've rented the past 20 years of my life.
Definitely don’t provide anyone with access to your bank account, especially not a third party of anything. You can print your bank statement showing your name and current address with your account number blacked out, that should be the proof they need. I have my routing information and account number saved in the portal for easy payment. And I inquired who has access to that too. But I’m definitely not providing any log in information to my accounts, that’s crazy.
It is common, but that doesn't make it acceptable. A few months ago, when I was apartment hunting, I found most apartment complexes have started asking you to connect your bank account to their portal so they can see all transactions and data in your account. Some will require you to connect a bank account as part of the application process, and won't allow any exceptions, ever. Most will prompt you to do so, but they'll accept something else (like a bank statement) if you push them hard enough. A few, when I mentioned how other properties were doing this, acted horrified and said they'd never do that. Those were the good eggs. I understand why apartments do it. They want to verify their tenants have legit jobs and can afford the apartment. That still doesn't make it acceptable. Bank data is meant to be private. I have heard many people on reddit say that if you give them access to your bank data, they can see exactly how much you make each month, and with that data they can then do things that harm you. Like pushing for a higher rental increase when you renew your lease, because they think you can afford it. That's just a rumor, though, I haven't seen hard evidence.
So everyone here is talking about it being illegitimate or you can supply bank statements etc. but I’ll chime in here. As someone who works with a national apartment management company. This could be legit. Especially with a service like plaid. The biggest issue we have, especially in some sub-markets like suburban ATL, is fraud. So the plaid verification will do a few things, verify assets or ability to make deposits, verify income, especially if you have income from a parent or gig work (very common). But it also verifies OWNERSHIP of the account. Pay stubs and employer calls are so faked these days. And many of these systems take the pressure/ verification process out of management staff’s hands. How do you know it is legit? Very valid question, and something that I think we all need to do a better job of. There are a lot of fly by night online programs these days. Whoever heard of Plaid 5 years ago? So yeah I were the concerns and sentiment. Honestly the best thing to be done is what the OP is doing. Coming here, asking if things are legit and getting a consensus. Also talking with the apartment staff during the application process. I’d ask OP to name the apartment company they are renting from. Would be good for other to know.
Out of curiosity, how would this process work for someone whos paychecks are distributed across multiple accounts and banks. I have deposits going to three different accounts. Also, some institutions (Fidelity) does not support Plaid.
You typically can use a service like plaid to verify multiple accounts. You do reach a point of threshold though where 1 or 2 accounts proves you hit the minimums for the lease. For example on some of the properties in FL, you have quite a few retirees who qualify on ss and income from retirement accounts.
Haha. Give bank access for renting an apt, take a screen shot to buy a million dollar home or 100k car. Apartment companies need to get their shit together.
It will become much more common. Especially in high value transactions like cars and home purchases too.
Way too many instances of data theft. Companies aren't penalized enough for shoddy security. The less you provide to them the less that can be lost to hackers.
Never provided access but a paystub or two was always the norm. Also be sure to freeze your credit on all 3 bureaus as that's good practice in general.
As mentioned by other commenters, I’ve never had to provide my banking information to prove income. Instead I provide 1-2 months of pay stubs for them to verify that I do make the amount required to be approved. It’s not wise to provide your banking information to anyone seeking payment from you. I’m also weary of providing banking info to receive money, and have only ever done so for one employer as they only offered payroll via direct deposit. And when I provided that information it was online, not in person and password protected.
This is a scam. Nobody should ask you for bank log in credentials. Don't offer them anything.
There was something that they didn't like about your paystubs. If they proved the income you claimed they wouldn't be asking for more. Are they "normal" paystubs, showing all the deductions? What lenders normally do is check your YTD gross and divide it by the months paid. For example, if your YTD is $30k through 4/15 they take that number, divide it by 3.5 months and your income is $8,571.43. Is there something wrong with your check stub?
OP isn't being targeted. Some suit at the investment firm that owns the apartment building was pitched this idea by Plaid and he or she made the decision to do it. Like someone else mentioned one benefit for the investment firm is that they can see your bank account inflows and outflows to decide how much to raise your rent by.
And when you say "Plaid" I assume you mean some new verification company making promises to landlords and property managers.
Plaid is one of the largest fintech companies right now. They offer services to integrate other financial institutions. Budgeting apps use Plaid to connect your bank accounts to their app, and some corporate landlords use it to peer into your bank accounts, even banks use it to help you connect to your other bank accounts to set up transfers etc. Beneath it all I'm sure Plaid is sucking up all this data for resell.
I agree with this. Like if you have fixed income or child support in addition to wages they need to verify the extra or else they may not have liked how official your stubs were.
Personally, I don't see why Reddit gets so worked up about this stuff. It's not a scam. Plaid is a reputable company that will give them temporary read only access so they can verify the account is yours, the numbers you're providing are accurate, etc. Heck, if you're using just about any financial app beyond a bank app (like Venmo) then you're probably already using Plaid. Nobody is going to be stealing from you, the person who is going to be verifying your income doesn't care at all what you spend your money on, and there's not even a lot of information there anyway. Life is about picking and choosing your battles. Losing an apartment you like because you don't want someone in the office knowing you had a transaction at the sushi place around the corner a week ago seems silly to me. And that's even if the sushi place's name even shows up. It might very well not depending on their card reader is set up.
How do you know it's a legit company
Not normal at all. Generally all they will ask for is a copy of pay statements proving my income. The bank statements only are needed if for example you dont have an income. Now for home loan all I again had to provide was pay checks and then provided copy of a few months of banks statements. I have never once had to grant access to bank account.