I don't exactly know. But I'm under the impression that it performs the standard website login flow via headless browsing, then uses the website's "download transactions as OFX" functionality. So similar problems as "screen scraping" but less error prone because if it successfully downloads the data, it is in a well-defined format.