I wish my bank/brokerage/etc all had the equivalent of "valet key" logins where I could set-up and manage accounts for others which only had a subset of my own rights. For example, I'd like to hire an assistant to reconcile/aggregate/classify my financial records, but I'd either have to take a lot of time to gather everything up or expose the ability for this person to steal from me. My brokerage account includes the right to buy/sell securities, but I only want my bookkeeper to be able to view my transaction history.
One problem I see is that access to one's financial records sometimes is used as a proxy for identity, much like the presumption that, if you can read an email sent to a particular address, you must "own" that email address. Didn't PayPal once (or even still does?) debit N cents from one's bank account and then ask what amount was charged as a way of verifying new users?
What else would you have them do? They are verifying this is your bank account and this is the best way to do it. Think of it like feature detection in JS vs. user agent string matching.
They're verifying that I created a PayPal account which links to a bank account to which I have read-level transaction ledger access. It's a better-than-nothing proxy, but it doesn't prove that the person setting-up the PayPal account has the legal right to withdraw funds from that account.
One problem I see is that access to one's financial records sometimes is used as a proxy for identity, much like the presumption that, if you can read an email sent to a particular address, you must "own" that email address. Didn't PayPal once (or even still does?) debit N cents from one's bank account and then ask what amount was charged as a way of verifying new users?