Granted, it's partly my fault for letting a loved one be that computer un-savvy, but that kind of ad should have been detected and blocked before it was ever served.

Edit: it’s fixed by requesting the desktop website.

But anyway, on my laptop, the article was just clean text and a byline with some well-formatted images.

Failing to install ublock on your parents computer is a form of abuse! :-)

- We currently work with two partner banks, Evolve Bank and Trust and Choice Financial

- Both our partner banks operate or are part of a sweep network (https://mercury.com/blog/company-news/understanding-bank-swe...), where they can move funds into other banks. Each bank your money is in increases FDIC coverage by 250K.

- For customers on our partner bank Evolve, this was bumped from 1mm to 3mm as of this morning. You get this automatically if you have accepted the T&Cs for the sweep program already; if you haven't you can do so at: https://mercury.com/settings/vault

- For customers on our partner bank Choice, you're still at 1mm FDIC insurance. We are working on getting you an Evolve savings account (or getting increased coverage from Choice) by tomorrow morning, or you can keep excess funds in Treasury (see below)

# treasury

- We also have a product called Mercury Treasury. This allows you to invest in mutual funds, the safest of which is a Vanguard Treasury Money Market fund (VUSXX), which invests primarily in short-term U.S. Treasury bills https://investor.vanguard.com/investment-products/mutual-fun...

- These securities are held in your name at Apex Clearing, which is https://www.apexclearing.com/

- They're not part of any fractional reserve system like with banks; every share of a mutual fund you hold is in your name and Apex can't lend against it (unless you give them permission which would be weird)

- You can automatically sweep any funds between our treasury product and your savings account. Liquidity is about 3 to 4 days.

- All treasury funds are visible on your Mercury dashboard, so you don't have to manually manage fund movements or keep track of your total balance across websites

- You also earn interest on these

AMA if you'd like, though caveat I'm jumping between a lot of Slack messages right now (edit: probably bowing eat to eat lunch)

Who is the owner of record on these Mercury accounts at "other banks"?

Can I withdraw *my* money from these "other banks" without Mercury involvement or approval? If not, then *Mercury* may have increased FDIC coverage but the Mercury depositor does not.

You as the customer are the owner of record on the funds. The accounts are held by our partner banks at these other banks, as your agent and custodian (something like "Evolve Bank and Trust for benefit of Acme Corp).

The FDIC insurance applies to the business holding the funds; it is definitely not insuring Mercury itself.

You do need to use Mercury to withdraw the funds; we still run all the authorization and compliance rules around this, and there isn't a facility for you to go into eg United Texas Bank and ask for your money. That said, if Mercury were to go bankrupt tomorrow, your funds are held by our partner banks who have full KYC/KYB info on you would be able to access all your funds.

How fast and how?

You might consider providing a "living will" document that keeps your clients up-to-date on where the $$$ are and how they access them. If I'm using something like this I would want to be sure I can make payroll the day after you vanish.

(Not a potential customer or cash management expert, prioritize accordingly.)

My best guess, not until OK'd by a bankruptcy judge. You may have a strong claim on the funds but so does Mercury --- hence the fact stated above that you can't withdraw without their approval. On the other hand, they may be able to withdraw without your approval. A bankruptcy judge is the only one who could override their claim and release these funds to you.

Remember, SVB was an FDIC bank. The reason depositors are able to withdraw money today is because of the quick actions of the FDIC.

If the client is the owner of record Mercury hasn't any claim at all.

Only Mercury knows the exact structural details but based solely on their statement above, they have significant control and claims that you can't easily override yourself.

I wouldn't count on this all being resolved quickly in the event of a bankruptcy.

SVB offered sweep accounts. Guess how that worked out for folks with money in those accounts? They lost access just like everyone else. If you had a sweep account and you needed to make payroll on Friday, you were not protected.

Mercury charges 60bps for their Treasury product. Why the hefty fee for buying MMFs? VUSXX expense ratio is 9bps for comparison.

Question: what happens when FDIC limits are exceeded. For example, someone deposits 5M on a 3M limit.

Are the excess funds equally distributed over the underlying banks, or is there a specific allocation strategy?

1. As others have said in the comments, I wouldn't assume all funds are 100% insured. It is trending that way but I think if you are a CFO managing 10s of millions, its responsible to consider other assets.

2. Our interest rates on Treasury are pretty competitive, up to 4.67% for the slightly-less-conservative fund MULSX (various conditions apply, depends on how much you hold in treasury, etc; see https://mercury.com/treasury for details).

We are OK not having the absolute highest interest rate offering. Our position is:

* The Mercury product is much better than what most banks offer, across features like searching transactions, WebAuthn logins, virtual cards, etc (You can try the whole website at https://demo.mercury.com/)

* Mercury is much better optimized for startups (eg compliance that understands startup needs, doesn't ask your CEO to go into a branch to send wires)

You can always get a higher interest rate by eg buying treasuries yourself. Our position is for most founders, investing in these mutual funds is a safe, no-brainer options that optimizes for safety while keeping the convenience of a single dashboard.

1) You get bailed out no matter what your insurance rate

2) Defaults are at such a high rate that the FDIC doesn't have the money to bail everyone out, the economy tanks, and all businesses that rely on risky VC investment fail anyway

It's like betting $100 on something that won't happen until you're dead. Sure, you might be correct, but there's no real benefit to it.

List of investors here:

https://mercury.com/about

This can be helpful for avoiding resource contention, or hitting an API limit.

This article obviously has a very specific kind of workload/service/target in mind that they fail to define and they overgeneralize. This is bad advice in many situations that they failed to imagine.

After pointing to the NIST standards (and two other references) saying that that reduced security and saying "we're not prepared to reduce our security" they backed off.

Tip for those in settings with compliance reviews and cybersecurity insurance: get your PCI DSS, SOX, and other auditors, and cybersecurity insurance underwriter on board with these standards as well, with written statements. Then if Big Customer Co. pushes back after you say, "we're not prepared to reduce our security", ask them in a friendly way to hold an N-way meeting between their auditors and insurance underwriter, and your auditors and insurance underwriter.

This gets them to switch off their demand. Every. Time. If they don't back off on their own, their auditors and/or insurance underwriter makes them back off. I've yet to have such a Big Customer Co. push it to the point of asking more than one of their own auditors, though. Usually it is someone not in auditing and insurance underwriting blithely following outdated policies written in the Stone Age that still need updating, and most are grateful for the updated clarification.

You have to get out ahead of the business risk though for this to work: you need to properly socialize the delay this puts on the deal "while auditors and insurers sort out the risk". This is where soft skills shine.

This approach will also take care of the response user patrakov gave ("NIST is an American institute, and we are a Japanese company, we have our own standards that differ, and must follow them"), once it gets to the insurance underwriters talking it over on how to divvy up the risk and amend their policies if necessary.

It’s still messy at this time, but if it is important enough to you, then sometimes it can be obtained. Most of my clients aren’t that doctrinaire over the expiration part though and are still comfortable making everyone change every 90 days, and with some enterprises they don’t care because they have FIDO2/U2F or similar authN infrastructures and corresponding authZ improvements on their roadmaps within the next 3-5 years anyways that do away with most passwords in their environments.

> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

[1]: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver

For context, I remember the contract first came back, and we redlined it saying we're not gonna do password expiration and explained why. It then came back with another draft and they said "no, this is our policy, you definitely need to do password expiration" so I threw these references together and expanded my explanation. It was a bunch of business/lawyer types, so I threw microsoft in there as I assume they're better known to non-technical people and the other two references are obviously more salient to technical people.

As a side-note I think this was _after_ they had their very well publicized security breach, and I would have hoped that they had taken a look at their security and updated their policies but I guess that wasn't the case. I don't know whether they ended up removing it from their contracts going forward or just made an exception for our one. The cynical part of me says the latter (it's a big firm, and we're not a particularly big one) but I can hope.

I also recently read an audit for another third party we were evaluating to work with. I raised it as a non-blocking concern saying they're not following modern password standards, and I think if everyone does that these companies will start to update their policies but for now it's fairly common at least in my industry.

[EDIT] I went looking for what I actually said to them, and it was "as per UK/US government and Microsoft password guidelines, we will not agree to this, and would prefer if you didn't do it as well.". So I guess I was a bit exasperated with them at the time :)

[0] https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver

[1] https://learn.microsoft.com/en-gb/archive/blogs/secguide/sec...

[2] https://www.ncsc.gov.uk/collection/passwords/updating-your-a...

Agreed, huge thanks to NIST for the sane password policy recommendations. While it is still an uphill fight to bring sanity into this mess, being able to quote NIST and say we're following their recommendation has been very helpful.

They refer to it as a “Memorized Secret“.

The appendix, “Strength of Memorized Secrets” is informative rather than a guideline, but I would recommend quoting it too in such discussions:

> composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought… although the impact on usability and memorability is severe

There’s also this great quote:

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).

There’s other great stuff in there as well like that you should allow users to “paste” passwords and potential passwords should be checked against a list of known bad ones.

Why can I accept it? I constantly see colleagues sharing passwords and constantly have to say "please don't" when they try to share their password with me. While forcing people to change their passwords doesn't eliminate the underlying problem, it does limit the scope of the damage.

For the next 10 years, his password was a particular insulting phrase directed at the IT guys, followed by a number that would increment each time he had to change it. Got into the hundreds before he left the company.

It also interferes with password managers and secure keys. Opens a phishing vector. Generally I could enumerate how bad it is and run out of ink here. (And it's a screen.)

Even the head of information security tried changing this and failed to get the change through.

Of course there's TouchID and Windows hello but they don't work if your laptop is closed in a dock. Or in my case a Mac mini at home.

This is why I still stick to the truly random sorry password, I have no issues remembering arbitrary strings for some reason :)

Luckily my work still allows 10-char with specials or passphrases of 16 and longer without. And don't forget passphrases only benefit in very specific situations such as hash brute forcing. Online attacks already block after a handful of attempts.

Also, the incessant screen locking really annoys me, every time I step away for a coffee my PC is locked again, and this is also at home where my environment is completely secure and I'm the only one living there. I actually work in security but sometimes there is just no reason and it becomes just a barrier.

In the past I used an app to jiggle the mouse every once in a while but that doesn't work anymore. I now made a digispark that does the same in hardware. :) I only use it at home though and it auto-locks my desktop when I leave the house (all my personal ones do too)

If they'd just allow us to use our yubikey + pin it would be so much easier and more secure...

Those are rookie numbers!

In all serious, my point is roughly that typing Sp3c1al_(h4racTer_p@ssw0rd$ is like O(n) whereas typing passphrases is like O(log n). Once you hit a certain length, pass phrases start pulling ahead in ease-of-use.

We're already constantly maintaining muscle memory just by typing normal words every day. With muscle memory for special character passwords, you have to start over from scratch every time you have to change one.

In other words, imagine I flipped over a flashcard with a new passphrase on it consisting of lowercase English words, and asked you to type it. Now imagine I flip over a flashcard with a new, special character password. How many more times do you think you'd have to reference the flashcard with the special character password while typing it out and developing the muscle memory over the flashcard with the passphrase?

> Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

https://www.ncsc.gov.uk/collection/passwords/updating-your-a...

I thought Vitalin Buterin had a really nice steelman of Bitcoin maximalism.

(CTO at Mercury)

Could you clarify the minimum requirements for being a Mercury customer?

On your home page, you say you are not a bank. From what I can tell, you seem to be a wrapper around a bank(s) (Choice Financial Group and Evolve Bank & Trust®). Does that mean signing up with you gives me an account with those banks, or do I still have to sign up with those banks independently in order to use your service?

I'm sorry if this seems like a stupid question, but it isn't apparent to me from a quick scan of your website.

EDIT: Last question... if your customers aren't required to establish a direct relationship with your underlying banks, how do you handle KYC? Would I need to fly to the US to get this started, or would a zoom session plus all the relevant ID's be enough?

Neither. The funds are held by those banks, but you won’t ever deal with them directly nor have any login to them

> Would I need to fly to the US to get this started, or would a zoom session plus all the relevant ID's be enough?

You just sign up online and provide documents. No zoom sessions.

If you have the relevant documents signing up should take ~15 minutes

Have a great weekend, sir.

The biggest thing for us would be if you could support Plaid's Identity product by returning names and emails when someone links a Brex account with Plaid.

When someone links an account using Plaid, having this data available means we can compare that to the names/emails we have on file and have verified. If it's a match, this makes it _dramatically_ less likely someone is trying to commit ACH fraud against a Brex customer.

This makes it safer for us to offer higher ACH pull limits to that customer. Even for customers who never switch away from Brex, this would significantly increase protection from ACH fraud.

- Max T, CTO Mercury

There has got to be a better way for us to accomplish this.

Uber is an example of this (taxis had issues in Europe/Australia as well, but by far not as problematic)

One path forward is Oauth, which several major institutions use on Plaid (Capital One, Wells, Chase are ones I know of).

This definitely solves “entering login information into random forms”.

I’m pretty sure I have seen these institutions offer you some control over what data you share when you link, but it was minimal control, and didn’t work well. Ideally that would be more fleshed out.

You’d still be sharing balance and transaction data with Plaid though, that part isn’t solved by Oauth. I think to solve that you need to have a European style standard banking API that makes direct bank-to-bank data sharing tenable?

The US needs an open banking law. This should not be an optional feature for banks to offer. It should be an absolute requirement.

I think it's insane to enter your credentials into Plaid. Almost every banking agreement I've ever seen disclaims liability if your account is breached because you shared your password. So, if you share your password with Plaid, and Plaid is breached, and someone uses your banking credentials to drain your account, I think a bank could wash their hands of it and walk away in that situation.

I'm sure the Plaid engineers are great, and that their data is stored securely (and maybe they don't store the password at all in there systems). But I'm not willing to bet my entire bank account on them being perfect.

1. Plaid has been pretty much been blessed by the largest player in the space (the , now blocked, acquisition from Visa).

2. The banks are glad to outsource development of banking apis to one single customer. Even CapitalOne who seemed horrified at the integration built an Oauth endpoint.

3. The queue of banking regulations is a mile long and is deeply politically controversial among those who vote.

4. Our geriatrics in congress will never see this as an important issue.

It's just easier to not use Plaid.

But, there are many services that should exist, that could be safely used, if such an API mandate existed.

I actually think it’s a matter of time. Eventually the current state of affairs will lead to a crisis. Someone operating like Plaid (a centralized nexus of banking passwords) will be breached, funds will be drained, and banks will shrug.

At that point, the API law becomes much more likely. Banking regulations have a way of moving very slowly until a crisis erupts.

Another path is, once most of the bigger banks develop their own APIs, they will probably push for the regulation as a path to making it harder for smaller banks to compete.

is "Plaid is breached" necessary? Or is it enough for bank to be aware that you used Plaid?

My guess would be that your bank account being compromised would need to flow in some way from you sharing your password. But, it might be a matter of “who has the resources to make a claim in court”, which could be a challenge for most people if they just lost their bank account (hell, it would be hard for most people even with access to their savings)

It may not be enforceable, but in my case any use of Plaid or Plaid-like tool would allow bank to claim that they are no longer responsible for any fraud.

(for reference - I am from Poland, never encountered any nonscam asking me for my bank account, though banks have different variety of problems)

Though this is still obviously not a replacement for open banking and would I still love open banking laws in the US (and hopefully better implemented / constructed than the open banking laws in Europe!)

I reviewed the register https://www.federalregister.gov/documents/2011/12/27/2011-31... and the link you provided.

I don't see anything that would extend the coverage to a service that is providing a read-only view into the account, or anything that mentions password sharing. I _think_ I could see what you're describing in maybe the description of the transitive nature of Regulation E to cover "non-bank payment providers", but I don't see anything that would protect me if I shared my bank password with Mint via Plaid?

I'd love to know more, and as a lay person I'm having a hard time working my way through all the language of Regulation E.

(Also, just to clarify how Plaid works, Plaid does not share account credentials with Plaid's customers, so you wouldn't be sharing your password with Mint via Plaid. Instead, Plaid provides token-based access to data via an API.)

After looking at those answers and reviewing the relevant parts of Regulation E that it cites, I do feel like the regulation pretty-comprehensively disallows banks to impose liability on the consumer for sharing their password. Answer 8 especially that notes that no waiver of Regulation E is allowed makes me feel more comfortable.

I'd still support an open-banking API law, but your citations here have really turned down the urgency for me on that issue.

(And, yep I'm familiar that Plaid does not share the password beyond itself and the relevant bank it's authenticating with)

Why can’t a Mercury wire or ach successfully clear to Circle?

As a Mercury customer what I know is that not a single one I’ve tried has worked resulting in days locked funds.

This is (as far as I understand) wrong. Fortunately it usually doesn’t break anything, but Circle is more strict about this saying the business name.

We have a new partner bank we just launched where we have full control of the ACH stack, where we’ve resolved this. Also trying to fix the issue with the existing partner.

Caveat that I didn’t check this answer with anyone, since it’s early.

http://business.sos.ri.gov/CorpWeb/CorpSearch/CorpSearchRedi...

https://opencorporates.com/filings/1091852658

Does this sound correct to you / if so can you remedy it with Rhode Island? (edit: our onboarding team says you specifically want a Certificate of Good Standing from the state)

That said, this should have been communicated as a clear rejection reason—we'll work on that.