@button TLDR: may be technically against TGCs but I'd trust Pocketsmith anyway (but not poli)
I've gone down a bit of a rabbit hole with this this morning, though not enough to just email the bank and check
![Grinning face with sweat :sweat_smile: 😅](https://cdn.jsdelivr.net/joypixels/assets/7.0/png/unicode/64/1f605.png)
. I'm not a super techy person but I spend time around some pretty techy, security savvy people.
I checked with ANZ who seem to be one of the most conservative with third parties, and Westpac who have openly partnered with and invested in Akahu.
Akahu is the fintech company that allows the open banking access behind Pocketsmith (who don't themselves get to see your credentials).
https://learn.pocketsmith.com/article/1331-about-akahu-our-new-zealand-data-provider
Pocketsmith basically has access to the bank's APIs to allow it read only access. They seem to integrate somewhat with the bank's own app, depending on the bank, which indicates a degree of buy-in from the bank.
I think following the letter of the T&Cs, depending on your bank, it may still be against the conditions as you do have to disclose your login credentials. However, it seems to mostly come down to whether the bank is liable for any losses incurred as a result of that credential disclosure, and Pocketsmith/Akahu can't incur any losses. It does seem like for some providers there is storage of your login credentials, and while encrypted that certainly gives me a moment of pause. I can't immediately see which providers this is the case for.
That said, true open banking seems to be in the wings with the four major banks required to be ready this year
(I agree that poli is against the terms though as you are giving your credentials and the ability to move money - dangerous!)