[dguido]

Because they use OFX for read-only transactions and an HSM to store the passwords:

http://money.stackexchange.com/questions/15392/are-there-any...

[nailer]

The bank should provide oauth, with 'see your transactions' as a permission you can revoke later.

Unfortunately, banks are technically backward and don't realise they're dumb vaults yet, much in the same way phone carriers are dumb pipes.