How does Tiller get your transaction data from your bank?

Do they pull it through Plaid and the like? It's been a while since I checked them out.

Does it still entail entrusting Plaid with your web banking user credentials? How's 2FA handled?

Does Plaid still rely on screen scraping for certain financial institutions who lack formal API's? What happens if there's a bug and they inadvertently click something they shouldn't, eg. "I Agree" to a popup or something you don't consent to, or even send funds to the wrong place? I know they claim they are "read only" but afaik no bank offers the ability to set up secondary user accounts (on personal banking plans) that truly are just read only?

Do they maintain underwriten insurance or a bond or something to improve your confidence you'll be reimbursed if they, say, cause you a million+ dollars worth of financial damage?

How about the implications of letting both those parties see all your private banking data? I heard there was a class action lawsuit with allegations data was sold or shared inappropriately, any indications on what actually happened?

Or how about the clauses in your banking Terms of Service where you agree not to share your password with third parties?

I just feel queesy using a web / cloud service to manage my finances. Would prefer some client software that runs locally and talks to some kind of bank API's. Does such a thing exist in Canada? (Open Banking is supposed to be coming but I'm not clear if individuals will be able to access it for software they write themselves?) I would switch banks if it did.

These are genuine questions, I sure could use something like an API to my bank, if it were impeccably trustworthy and enforced policies of limited internal data retention once I've "downloaded" it.

Local AI models are getting a lot better. If you have the capability to run them, you could automate this yourself using your own browser automation, actually. It is rather fiddly, as mentioned in the post, but is absolutely doable, and probably the only option, at least for now, where you wouldn't need to provide your credentials to a third party.

Plaid does do screen scraping for smaller banks, but they have agreements for OAuth-based access with most of the largest institutions.

I believe they use Yodlee and yes there is a lot of trust in Yodlee/Tiller to keep data safe. The integrations go through an OAuth type flow where you hit say Chase first and approve/revoke individual accounts so it seems like it's API based now, not screen scraping.

For all those concerns, I bet you could automate just parsing all the data from the statements or a CSV export.