[textfoo]

I work at a bank that has a vendor that uses client credentials in order to html scrape their account pages. Most banks refuse to generate consumable methodologies for other financial services to use their data, so they go about it the hackiest way possible.

[salawat]

The bank has many reasons to specifically not provide that functionality. And if your value proposition as a company is to farm people's financial data for your own purposes, all I can say is tread carefully.

It won't take much in terms of negative outcomes generated by increased attack surface to make bank/financial regulations even more strict.

This practice is a clear violation of just about every bank I've seen's security policy. Normal practice would be to negotlate a data sharing of some sort, but that happening would be dependent on your company's ability to generate increased visibility for, or traffic to the bank.

Anyway, tread carefully

[pbreit]

I don’t think it’s crazy for customers to be able to retrieve their own data.

[salawat]

I don't either. It is, however, crazy to expect a bank to tolerate you granting a third, unknown party access to their data systems by sharing your personal credentials with the third party.

Your business with the bank entitles you, and only you; barring certain exceptions at their discretion, access to that data.

They do this to minimize risk and culpability in the face of a large number of adversaries that could extract value from possession of data on your personal habits.

It isn't sexy, but that is just the way it works. I've banged my head against the financial industry looking for ways to improve it, but at the end of the day, a lot of the rules and restrictions they put in place actually do make a frustratingly good deal of sense.

Think about this.

Suppose you and 1000000 other people hand login credentials for financial service X to company Y.

Company Y is basically a shell company wrapping a money laundering operation. Your combined set of login credentials becomes an ideal way to wash money into the financial system until everyone else in the financial network catches on. Then that company disappears, and sets up under a different name.

This stuff happens; and even if only some people don't notice, that's all it takes.