I suspected it might be different elsewhere, but I had no idea that the situation was so dire that you had to actively go looking for a bank with an API.
 https://de.wikipedia.org/wiki/Financial_Transaction_Services (German)
 https://de.wikipedia.org/wiki/Homebanking_Computer_Interface (German)
It merely provides a standardized interface to access account data or initiate transactions, but it still uses a plain username/password login to authenticate.
Even that it does not do particularly well – the protocol is horrendously outdated and does not support "recent" inventions like credit cards on many popular banks, which means that banking aggregators have to fall back to screenscraping anyway.
However, this will hopefully change soon with PSD2/SCA, which does mandate such secure account access (based on OAuth2, if I understand it correctly).