[Jtsummers]

Regarding APIs: Let us use access keys that limit what the API can see/do. I don't like that Mint can do almost anything to my account by virtue of having a password. I just want to be able to reliably collect transaction and/or balance information, nothing more (which is already a lot, but I manually or semi-automatically collect this at the moment rather than using an API).

Let the user generate an API key that is (somehow) transmitted to the application with limited access. Then the user, at the bank's site, can revoke these authentications at any time. Stopped using YNAB? Revoke its key. Stopped using Mint? Revoke its key. Started using gnucash? Add a key.

[y-c-o-m-b]

I was just thinking this exact thing. It's reckless to provide a third party your direct banking credentials. I feel unsafe entering those credentials into my browser as it is - but to share it with a third party product gives me the creeps. It's so stupidly easy to generate an access token that can be shared with third parties and restrict access to read-only. Why they didn't think of that is beyond me; the tech has been available for a very long time.

[Jtsummers]

Want to know something really annoying? I bank with multiple banks. One institution uses access tokens. I can link them to my primary bank (the primary has a better "whole picture" view). But does my primary bank offer access tokens of their own? No. They understand the concept, but don't use it themselves.

Of course, I know why. Different teams. There's no cohesive vision to their IT work, same as every other enterprise out there.

EDIT: Cleaned up language. Removed some info I didn't really want here but really botched the posted version when I did.

[venantius]

In Europe, PSD2 and the Open Banking initiatives provide this. All retail and commercial banks are required to provide open APIs to Account Information Service Providers or Payment Initiation Service Providers (the former being read-only, the latter read and write). Essentially you're talking about a delegated access / OAuth-style universe for banks and technology companies. It'd be great to see the US adopt something similar.