I actually think the opposite is happening. Yes, a few are adding OAuth flow-equivalent, but even more are adding 2-factor and other security measures that prevent a third party.
Maybe Plaid has enough clout to prevent it, but other services have dropped functionality for more and more accounts over the past 2-3 years in my experience.
IIRC, OpenBanking in the UK requires a re-auth every 90 days with the 2FA. I think thats a very reasonable balance, and means services don't have perpetual access.
Oh, I'd be ecstatic if that's how it worked. Instead, I have to go through 2FA every time I want to update with some providers. Others say "Apologies, we're working with the provider to restore support" and have stopped working for years. Others I can transfer money but can no longer see the balance.
On rare occasion I see banks that have a revocable token. I can't remember the exact linking process, but presumably they don't get my credentials, I can specify read-only access and specify specific accounts, it need periodic renewal, and from the bank end I can see who I gave permission to and revoke access from there. This doesn't seem common and I'm not sure if all the clients support those banks (or if it's a limited "in-group").
None of this is especially novel. It's just the incentives and efforts aren't there.
It's frankly annoying. I wish they enforced a notification by some means instead (X still has access unless you do Y), at least for services that only need read-only access.
Yep, but unfortunately it's only a small handful of the banks. And it tends to be the larger national banks that offer proper APIs, and I tend to avoid banking with those.
I'd really like to see Open Banking API laws passed in the US to require banks to offer this kind of API.
Maybe Plaid has enough clout to prevent it, but other services have dropped functionality for more and more accounts over the past 2-3 years in my experience.