The same info is also on checks, and there's an established story around fraud there -- if I didn't authorize an ACH withdrawal then my bank is legally required to make me whole. If I hand over my username+password to a third party, I'm on my own.

Also, the routing+account numbers just let them deposit/withdraw money, not snoop on all my transactions and harvest my data...

▲

phoenixy1 6 hours ago | parent [-]

This is a common belief, but the CFPB has stated your bank is still legally required to make you whole in the event of fraud even if you handed over your username and password to a third party, and that any bank TOS stating otherwise are not valid. This is covered on the CFPB Electronic Fund Transfers FAQ, under the Error Resolution: Unauthorized EFTs, Question 8: https://www.consumerfinance.gov/compliance/compliance-resour...

	▲	lxgr 5 hours ago \| parent [-]
		In Germany, there was a similar antitrust-based ruling, but it even went further: They disallowed banks to block screen scraping services, as they considered the existence of screen-scraping-based confirmed instant bank transfers a valuable competitor to the (bank-led) card payment schemes. In retrospect, they were maybe right on the competitive part, but the data privacy impact was disastrous.