Plaid is FCA-authorised as an Account Information Service Provider (AISP) and acts as a regulated Open Banking middleware layer. The bank-side connection uses OAuth 2.0 with short-lived access tokens and refresh token rotation, TLS 1.2/1.3 encryption in transit, and Strong Customer Authentication (SCA) enforced during the initial bank consent flow. Plaid is never given raw bank credentials — customers authenticate directly with their bank via the Plaid-hosted UI and consent to share specific account data.

Additionally, on the Access Coins side:

Plaid stores account metadata (account number, sort code, account name, institution), transaction data (amounts, dates, descriptions, merchant info where available), and OAuth tokens. Raw bank credentials are never stored by Plaid.

Plaid is US-headquartered (San Francisco). For EU customers, data is processed within AWS infrastructure.

AES-256 encryption at rest, TLS in transit, SOC 2 Type II certified, with internal access controls and audit logging.

Plaid's default is to retain transaction data for a rolling period (Plaid makes up to 24 months of transaction history accessible, varying by bank). Plaid's own data retention for your linked accounts continues for as long as the connection is active.

Plaid targets 99.9%+ uptime and operates continuously with rolling deployments — there are no planned downtime windows for the Plaid platform itself. Note that availability for specific banks depends on those banks' own Open Banking API uptime. Bank-side maintenance (particularly weekend overnight windows) can temporarily affect connectivity. Real-time status is published at status.plaid.com.

Plaid access is provisioned through Access Workspace (Hub) on a tenant basis rather than as a traditional Coins module licence (no licence required). Relevant keys will be provided by Access Coins to be added to the parameters (PLDHMAC, PLDSECID, PLDSUBID, PLDTENANTID — API credentials and tenant identifiers).