I was also surprised when I was researching - it is actually the standard for modern fintech companies (with PSD2 in Europe and the CMA Order in the UK).
Regarding "write" access: It absolutely exists. Crazy right? Look up PISP (Payment Initiation). It allows apps to push payments, not just read balances (which is called AISP and is what I am trying to do).
I guess they allow this the security model isn't "letting an app log in to your bank", it uses OAuth flows where you authenticate directly with the bank (often using something that they call Strong Customer Authentication), and the bank issues a restricted token to the app for only the specific things it's permitted to use. That's why they required the apps to have such high security standards. I assume it was just too costly and risky to run?
Regarding "write" access: It absolutely exists. Crazy right? Look up PISP (Payment Initiation). It allows apps to push payments, not just read balances (which is called AISP and is what I am trying to do).
I guess they allow this the security model isn't "letting an app log in to your bank", it uses OAuth flows where you authenticate directly with the bank (often using something that they call Strong Customer Authentication), and the bank issues a restricted token to the app for only the specific things it's permitted to use. That's why they required the apps to have such high security standards. I assume it was just too costly and risky to run?