For what it's worth, my caution is
because I work in information security in the financial industry. I spent a good chunk of five years working on wire payment security.
Giving account and routing numbers to a SA is
vastly less risky than giving financial institution login details to a 3rd party -- whether it's some sexy venture-funded darling like Plaid or, um, other people who might ask for your account name and password, like, say, Joey Knuckles' House Of Cards -- for several reasons.
- An account and routing number pick out a single account at an institution. Adding an account that's used only for transfers of this type is of extremely low cost -- often free. For example, if you're a Chase customer, they'll give you a second checking account (they call it a "Liquid" account) with no checks, just for the asking. You can use it as a holding place for money that's being transferred in or out and have full confidence that anyone who's got those account details can never touch any other funds you have there.
- Procedures for reversing mistaken, fraudulent, or otherwise improper ACH and wire transfers are well established, well understood, and high-confidence. If an SA uses your routing and account numbers to steal your money, it's likely they'll be caught (even if they're savvy enough to send it to a casino in the Phillippines) but it's almost certain you'll get if back whether they end up in jail or not.
- Giving your account name and password for an institution to a 3rd party has none of these properties. Your account name and password can be used to do almost anything to any account you have at that institution. Heck, they can even be used to change your contact details so that if fraud is flagged, you don't learn about it for days or weeks. Once you hand over that login name and password the sky's the limit. You can't limit it to an account that has a zero balance except when you expect to be buying a car; in fact, you can't even block off access to CDs, retirement accounts or other assets so that whoever or whatever has that password can't touch them. It's practically like handing them a power of attorney: they are you. And procedures for reversing mistaken, fraudulent, or improper transactions made with your account name and password? I should be a little circumspect in what I say here but I will suggest at least that if you knew how this was likely to go if you had to try it, you would not be happy about it.
- Seriously, read Plaid's user agreement and, if you really want something to think about, your financial institution's user agreement and in particular what it says about your obligation to keep your credentials secret and what happens to their obligations to you if you don't. And then if you're still totally pleased to go telling people your password because they got a bunch of Menlo Park venture money, do a little reading about who's likely to prevail in arbitration if you do get into a dispute about it.
And if all that leaves you fine and dandy? Go for it.
Me, if what I'm hearing here is that if I show up at the delivery with a cashier's check it's still fine, my concerns just shift to being sure I know whom to have it made out to...