They do this because banks refuse to implement a properly-secured read-only API for granting access to transaction data. (I think maybe Chase now finally has one)
Maybe if the banks realize their customers are handing over their credentials in large numbers, it will light a fire under them to build a real solution.
> Maybe if the banks realize their customers are handing over their credentials in large numbers
Or they might pop a bottle of Champaign over that, in jurisdictions where the bank is by default responsible for all the account abuse risk unless they can prove that the user has shared credentials.
Probably not, because liability for non-credit accounts is up to the customer, not the bank. If people give up access credentials then they only have themselves to blame.
Maybe if the banks realize their customers are handing over their credentials in large numbers, it will light a fire under them to build a real solution.