At this point, it's often OAuth, but in my view, the exact means of access is a red herring: The only thing that changes between screen scraping and OAuth is that Plaid doesn't get my banking password, which is literally the least of my concern compared to persistent access to my account transactional data.