They screen scrape the banks website. Absolutely awful from a security perspective. Even if a particular site is trustworthy, it's not a practice that should be encouraged.
I don't think it's illegal anywhere, although it might violate a TOS and a bank may try to block it at any time. They could also block connections from certain IP ranges if the scraping is done one the server.