Capital One and Citi both have OAuth APIs that permit different levels of permissions.

And the Capital One flow was utter crap the last time I had to program against it. A past company I was in used a Plaid competitor that suddenly had to implement Capital One flow, which was utter shit, including their (Capital One) Sandbox environments that basically didn't work.

Banks are so held in last century technology...