I don’t like it either, but I’m not sure how you could get archaic banks and low-tech consumers to adopt something better.
It won't take much in terms of negative outcomes generated by increased attack surface to make bank/financial regulations even more strict.
This practice is a clear violation of just about every bank I've seen's security policy. Normal practice would be to negotlate a data sharing of some sort, but that happening would be dependent on your company's ability to generate increased visibility for, or traffic to the bank.
Anyway, tread carefully
Your business with the bank entitles you, and only you; barring certain exceptions at their discretion, access to that data.
They do this to minimize risk and culpability in the face of a large number of adversaries that could extract value from possession of data on your personal habits.
It isn't sexy, but that is just the way it works. I've banged my head against the financial industry looking for ways to improve it, but at the end of the day, a lot of the rules and restrictions they put in place actually do make a frustratingly good deal of sense.
Think about this.
Suppose you and 1000000 other people hand login credentials for financial service X to company Y.
Company Y is basically a shell company wrapping a money laundering operation. Your combined set of login credentials becomes an ideal way to wash money into the financial system until everyone else in the financial network catches on. Then that company disappears, and sets up under a different name.
This stuff happens; and even if only some people don't notice, that's all it takes.
I'm working with a fintech company in Germany at the moment that asks users for their internet banking credentials. Apparently it's quite common in Germany.
We're taking about end-users utilizing a third party service to get some kind of visualisation for their Bank accounts.
While German banks have a standardized API (FinTS), the normal authentication details are still necessary in order to use it, so basically all third party services demand them for that.
The only place where oauth2 is used is for single sign on between services of the same company and maybe - very rarely - you also get social auth from Facebook or similar.
No bank I've ever seen ever provided a public oauth API with which you could fetch data.
Laws that require banks to provide APIs so that any other service, including other banks, can consume the user's banking data.