@Edent
Yep, I can't see any good reason not to allow direct api access from a customer system to their personal bank data. It's directly equivalent to using the web interface that undoubtedly already exists. Sure there is a slight variation in attack surface, but that's not particularly hard to adjust to. I suspect the issue is who gets the blame for the inevitable breach from someone's poorly secured SBC. Even then, contract law can make demarcation clear enough... 🤷♂️
Yep, I can't see any good reason not to allow direct api access from a customer system to their personal bank data. It's directly equivalent to using the web interface that undoubtedly already exists. Sure there is a slight variation in attack surface, but that's not particularly hard to adjust to. I suspect the issue is who gets the blame for the inevitable breach from someone's poorly secured SBC. Even then, contract law can make demarcation clear enough... 🤷♂️